Fake ‘Fwd: Scan from a Xerox W. Pro’ emails lead to BlackHole Exploit Kit- http://blog.webroot....le-exploit-kit/Nov 7, 2012 - "... malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit... The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.Sample screenshots of the spamvertised emails:> https://webrootblog....its_malware.png> https://webrootblog...._malware_01.png... sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf * ... Mal/JSRedir-M... dropped malware: MD5: 194655f7368438ab01e80b35a5293875 ** ... Trojan-Ransom.Win32.PornoAsset.avzzpanalkinew .ru responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276 ..."* https://www.virustot...1ea40/analysis/File name: Scan_N13004.htmDetection ratio: 24/44Analysis date: 2012-11-05** https://www.virustot...75ed8/analysis/File name: d34c2e80562a36fb762be72e490b7793887c3192Detection ratio: 25/43Analysis date: 2012-11-01___

The attachment contains obfuscated Javascript that attempts to direct the visitor to a malicious payload at [donotclick]controlleramo .ru:8080/forum/links/column.php hosted on:103.6.238.9 (Universiti Putra, Malaysia)203.80.16.81 (MYREN, Malaysia)209.51.221.247 (eNet, US)These IP addresses have been used in several attacks recently, and you should block access to them if you can."___

Phishers take aim at USAA- http://www.gfi.com/b...ke-aim-at-usaa/Nov 7, 2012 - "Customers of the United Services Automobile Association, or USAA, are confronted with a faceless threat and may likely find themselves within enemy territory... if they’re not careful enough. Our researchers in the AV Labs spotted a phishing attack aimed at USAA customers who are mainly military service members, veterans and their families. The attack starts with the following spam:> http://www.gfi.com/b...SAACred_115.png From: {random} To: {random} Subject: USAA – Account Security Update Message body: Dear Valued Customer, We detected irregular activities on your USAA Internet Banking account. Your Internet banking account has been temporarily suspended for your protection, you must verify this activity before you can continue using your Internet banking account with USAA Bank. Please follow the reference link below to verify your account. [link] Click here to verify [/link] Security advice : Always log-off completely your Internet banking account after using internet banking from a public places or computer for security reasons. Thank you, USAA Internet Banking.

Once a recipient clicks Click here to verify, he/she is then taken to a legitimate-looking USAA login page... take note of the URL:> http://www.gfi.com/b.../11/usaa011.pngThis phishing page asks for a member’s Online ID, password and the PIN number of their USAA-issued credit or debit card, which the phishers made a compulsory detail to add on the login page. Note, however, that the actual USAA login page* does -not- ask for their members’ PINs. PIN numbers can personally identify individuals and their owners must only have sole knowledge of them. Members must never disclose them to any service provider or individual. Likewise, service providers must never ask for them (as proof of membership) nor store them in any form. Private citizens are also not safe from this phishing attack. Although USAA caters more to the military folks and their families, USAA has made available its online banking service to anyone, locally and internationally. USAA clients should be aware that phishing attacks are happening not just to online banking and e-commerce sites but also to financial services and insurance companies. We advise recipients of the phishing email to -delete- it from their inboxes..."* https://www.usaa.com...ent_logon/Logon

getyourbet .org injection attack- http://blog.dynamoo....ion-attack.html8 Nov 2012 - "There seems to be an injection attack doing the rounds, the injected domain is getyourbet .org hosted on 31.184.192.237. The domain registration details are:Registrant ID:TOD-42842658Registrant Name:ChinSecRegistrant Organization:ChinSecRegistrant Street1:BeijingRegistrant Street2:Registrant Street3:Registrant City:BeijingRegistrant State/Province:BJRegistrant Postal Code:519000Registrant Country:CNRegistrant Phone:+86.5264337745Registrant Phone Ext.:Registrant FAX:+86.5264337745Registrant FAX Ext.:Registrant Email:chinseccdomains @ yahoo .comThe domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).This is a two stage attack, if getyourbet .org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.pin.panacheswimwear .co.ukphysical.oneandonlykanuhura .compig.onmailorder .compicture.onlyplussizes .comperson.nypersonaltrainers .compipe.payday-loanstoday .comI've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.Anyway, block64.202.123.3 and 31.184.192.237 if you can to prevent further attacks."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake Intuit emails lead to BlackHole Exploit Kit- http://blog.webroot....le-exploit-kit/Nov 9, 2012 - "Intuit users, beware! Cybercriminals are currently mass mailing millions of emails impersonating Intuit’s Direct Deposit Service, in an attempt to trick its users into clicking on the malicious links found in the legitimate-looking emails. Upon clicking on -any- of them, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...Sample screenshot of the spamvertised email:> https://webrootblog....its_malware.png... Detection rate for the dropped malware: MD5: ebe81fe9a632726cb174043f6ac93e46 * ... Trojan.Win32.Bublik.qqfClient-side exploits serving domain reconnaissance:savedordercommunicates.info – 75.127.15.39, AS36352 – Email: heike_ruigrok32 @ naplesnews .netName Server: NS1.CHELSEAFUN .NET – 173.234.9.89, AS15003 – also responding to the same IP is the following malicious name server: ns1.nationalwinemak .comName Server: NS2.CHELSEAFUN .NET – 65.131.100.90, AS209We’ve already seen the -same- name servers used in the previously profiled “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware” malicious campaign, indicating that both of these campaigns are managed by the same malicious party.Responding to the same IP (75.127.15.39) is also the following malicious domain:teamscapabilitieswhich .org..."* https://www.virustot...c1e14/analysis/File name: downloadDetection ratio: 29/44Analysis date: 2012-11-08___

The attachment leads to a malicious payload at [donotclick]canadianpanakota .ru :8080/forum/links/column.php hosted on the following IPs:120.138.20.54 (SiteHost, New Zealand)202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:120.138.20.54202.180.221.186203.80.16.81canadianpanakota .rucontrolleramo .rudonkihotik .rufinitolaco .rufionadix .ruforumibiza .rulemonadiom .rupeneloipin .rumoneymakergrow .ru ..."

Edited by AplusWebMaster, 09 November 2012 - 08:37 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake American Express emails serve client-side exploits and malware...- http://blog.webroot....ts-and-malware/Nov 12, 2012 - "American Express cardholders, beware! Over the past week, cybercriminals mass mailed millions of emails impersonating American Express, in an attempt to trick its customers into clicking on the malicious links found in the emails. Upon clicking on any of the links, users are redirected to a malicious URL serving cllient-side exploits courtesy of the BlackHole Exploit Kit....Sample screenshot of the spamvertised email:> https://webrootblog....its_malware.png... Malicious domain name reconnaissance:stempare .net – 109.123.220.145, AS15685 – Email: rebe_bringhurst1228 @ i-connect .comName Server: NS1.TOPPAUDIO .COM – 91.216.93.61, AS50300 – Email: windowclouse @ hotmail .comName Server: NS2.TOPPAUDIO .COM – 29.217.45.138 – Email: windowclouse @ hotmail .com ...Upon loading of the malicious URL, a malicious PDF file exploiting CVE-2010-0188 is used to ultimately drops the actual payload – MD5: c8c607bc630ee2fe6a8c31b8eb03ed43 * ... Trojan.Win32.Bublik.ptf...Upon execution, the dropped malware requests a connection to 192.5.5.241 :8080 and then establishes a connection with 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan). The following domain responds to this IP: discozdata .org. It is currently blacklisted in 25 anti-spam lists. The following URLs are known to have (been) directly serving malicious content, and act as command and control servers in the past:210.56.23.100 :8080/asp/intro.php210.56.23.100 :8080/za/v_01_a/in ...The last time we came across this IP (210.56.23.100), was in July 2012's analysis of yet another malicious campaign, this time impersonating American Airlines..."* https://www.virustot...c6182/analysis/File name: c8c607bc630ee2fe6a8c31b8eb03ed43Detection ratio: 15/43Analysis date: 2012-11-02___

Cableforum.co .uk hacked?- http://blog.dynamoo....ouk-hacked.html12 Nov 2012 - "Cableforum.co .uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example: NatWest : Helpful Banking Dear Valued Member ; To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted. This is a procedure that automatically occur when an invalid information is submitted during the log in process. Please follow the provided steps below to confirm your identity and restore your online access...> https://lh3.ggpht.co...600/natwest.pngThis is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow... Sadly, crap like this happens to good websites... Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password."

Edited by AplusWebMaster, 12 November 2012 - 09:01 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Blackhole exploit kit - top threat by a large margin- https://blogs.techne...ew-heights.aspx12 Nov 2012 - "... exploit activity has increased substantially over the past year... large increases in HTML/JavaScript exploit activity and Oracle Java exploit activity are major contributors to this trend... the top threat family driving these detections is Blacole, also known as the “Blackhole” exploit kit. Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin*. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components** ... In years past it was rare to see an exploit in the top ten list of threats for a country/region. In 2012-Q2 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13***. Blacole is in the top ten lists of twenty-seven of these locations ..."

New Java attack introduced into "Cool Exploit Kit"- https://threatpost.c...loit-kit-111212Nov 12, 2012 - "A new exploit has been found in the Cool Exploit Kit for a vulnerability* in Java 7 Update 7 as well as older versions, a flaw that’s been patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced last night by researcher Juan Vazquez, developer Eric Romang said. Romang, a frequent Metasploit contributor, suggested it’s likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit... Researchers are concerned now that this exploit is in Cool Exploit Kit, it could find its way into the BlackHole Exploit Kit... Reveton is linked to the Citadel banking and botnet malware..."* https://web.nvd.nist...d=CVE-2012-5076 - 10.0 (HIGH)

Edited by AplusWebMaster, 13 November 2012 - 05:48 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php hosted on the following IPs:202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)216.24.194.66 (Psychz Networks, US)The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

- http://blog.dynamoo....es-malware.html14 Nov 2012 - "This looks like a fake get-rich-quick scam email which is actually intended to distribute malware. Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer .com on 5.39.101.225 (OVH, Germany) and promotesmetasearch .net on 46.249.38.27 (Serverius Holding, Netherlands). This last one is kind of interesting, because a) it's all in French and b) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull .chickenkiller .com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.The WHOIS details show a completely different name and address from the one quoted on the email: Florence Buker florence_buker05 @rockfan .com 7043 W Avenue A4 93536 Lancaster United States Tel: +1.4219588211Clearly the owner of promotemetasearch .net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus. From: Anthony Tomei admin @8 mailer .com Reply-To: info @ promotesmetasearch .net To: donotemail @ wearespammers .com Date: 14 November 2012 18:22 Subject: launch of Dear Future Millionaire, Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time. The first way is to...

Opera site served Blackhole malvertising...- http://www.theregist...pera_blackhole/15 Nov 2012 - "Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm's home page. Malicious scripts loaded by portal .opera .com were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender*, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising. Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted..."* http://www.hotforsec...epage-4431.html14 Nov 2012 - "... malicious page harbors the BlackHole exploit kit (we got served with the sample via a PDF file rigged with the CVE-2010-0188 exploit) that will infect the unlucky user with a freshly-compiled variant of ZBot, detected by Bitdefender as Trojan.Zbot.HXT. The ZBot malware is on a server in Russia which, most probably, has also fallen victim to a hacking attack, allowing unauthorized access via FTP..."> http://www.hotforsec...Homepage-21.jpg

Bogus BBB emails serve client-side exploits and malware- http://blog.webroot....ts-and-malware/Nov 15, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating the Better Business Bureau (BBB), in an attempt to trick users into clicking on a link to a non-existent report. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...Sample screenshot of the spamvertised email:> https://webrootblog....its_malware.png... Although I wasn’t able to obtain the actual malicious payload from this campaign, it’s worth pointing out that the cybercriminals behind it relied on the same infrastructure as they did in previously profiled malicious attacks launched by the same party. We also know that on the following dates/specific time, the following malicious URLs also responded to the same IP (183.81.133.121):2012-10-16 00:24:08 – hxxp ://navisiteseparation .net/detects/processing-details_requested.php2012-10-12 11:19:37 – hxxp ://editdvsyourself .net/detects/beeweek_status-check.phpResponding to the same IP (183.81.133.121) are also the following malicious domains:stafffire .nethotsecrete .net - Email: counseling1 @ yahoo .comthe-mesgate .net - also responds to 208.91.197.54 – Email: admin @ newvcorp .comName servers used in the campaign:Name Server: NS1.TOPPAUDIO .COM - 91.216.93.61 – Email: windowclouse @ hotmail .comName Server: NS2.TOPPAUDIO .COM - 29.217.45.138 – Email: windowclouse @ hotmail .com ..."___

The malicious payload is at [donotclick]feronialopam .ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:120.138.20.54 (Sitehost, New Zealand)202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)..."

Edited by AplusWebMaster, 16 November 2012 - 08:54 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

** https://www.google.c...c?site=AS:48434Diagnostic page for AS48434 (TEBYAN) - "Of the 1723 site(s) we tested on this network over the past 90 days, 86 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-16, and the last time suspicious content was found was on 2012-11-16... Over the past 90 days, we found 2 site(s) on this network... that appeared to function as intermediaries for the infection of 5 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 5 site(s)... that infected 6 other site(s)..."

Edited by AplusWebMaster, 16 November 2012 - 08:38 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake J. dee Edwards / jdeeedwards .com scam- http://blog.dynamoo....dscom-scam.html17 Nov 2012 - "I'm not even certain what this scam is, but this is certainly not legitimate: From: J. dee Edwards j.edwards @ jdeeedwards .com Reply-To: j.edwards @ jdeeedwards .com Date: 17 November 2012 16:29 Subject: Edwards contact Dear Colleague, We are working with healthcare market companies which would like to hear your opinion. We would like you to become a member of working group and share your opinion online. Please review your full name, specialty, country and language by clicking on the link http ://www .jdeeedwards .com/contact.php?e=[redacted] or replying to the email. Thank you for your time. J. dee Edwards HRms j.edwards @ jdeeedwards .com http ://www .jdeeedwards .com To ensure that our emails reach you, please remember to add j.edwards @ jdeeedwards .com to your email address book. We would like to remind you that J. dee Edwards is committed to safeguarding your privacy and your personal details will not be disclosed to third parties. If you do not wish to receive please visit: http ://jdeeedwards .com/ unsub.php?e=[redacted] Copyright 2012 - J. dee Edwards - 20 Broadwick Street London, UK

Firstly, the email is sent to an address that ONLY spammers use, which is not a good sign. Secondly, the domain jdeeedwards .com has anonymous WHOIS details and was registered just over a month ago - the site is hosted on 54.247.87.188 (Amazon, Ireland) and looks like this:> https://lh3.ggpht.co...jdeeedwards.png... there used to be a company called JD Edwards, but there isn't any more**, nor is there a company called J. dee Edwards anywhere in the UK. The link in the email is some sort of signup thing, I guess it's the first part of a scam to recruit people for some sort of illegal activity.> https://lh3.ggpht.co...deeedwards2.pngOddly, the email address is an "optional" component, so how are they going to contact you? Maybe it's the tracking code in the link. Alternatively, you can reply by email and this is the third suspect thing, the mailserver is on 85.206.51.81 in Lithunia (AS8764 / LIETUVOS-TELEKOMAS). AS8764* is a pretty scummy netblock according to Google*. 85.206.51.81 is also the IP address the spam was sent from. So, a non-existent company with a month-old domain sends an email to an address only spammers use, from an email server in a dodgy part of cyberspace. Whatever this is, it is some sort of scam and is definitely best avoided."* http://www.google.co...ic?site=AS:8764

Fake IRS "W-1" SPAM / 5.chinottoneri .com- http://blog.dynamoo....ttonericom.html19 Nov 2012 - "This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form of some sort from the US Internal Revenue Service. From: Administrator [mailto:administrator @ victimdomain .com] Sent: 19 November 2012 14:50 Subject: To All Employee's - Important Address UPDATE To All Employee's: The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address. Verify that the address is correct - https ://local .victimdomain .com/details.aspx?id=[redacted] If changes need to be made, contact HR at https ://hr.victimdomain .com/update.aspx?id=[redacted]. Administrator, http ://victimdomain .com

In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri .com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low*. I suspect that there are many other malicious sites on this IP, blocking it would be wise."* https://www.virustot...sis/1353338928/File name: exploit.htmDetection ratio: 3/43Analysis date: 2012-11-19___

Bogus IRS emails lead to malware- http://blog.webroot....ead-to-malware/Nov 19, 2012 - "In March 2012, we intercepted an IRS themed malicious campaign that was serving client-side exploits to prospective users in an attempt to drop malware on the affected hosts. This week, we intercepted three consecutive campaigns using the exact same email template used in the March campaign...Sample screenshot of the spamvertised email:> https://webrootblog....eal_malware.pngUnlike March 2012's campaign that used client-side exploits in an attempt to drop malware on the affected host, the last three campaigns have relied on malicious archives attached to spamvertised emails. Each has a unique MD5 and phones back to a different (compromised) command and control server.The first sample: MD5: f56026fcc9ac2daad210da82d92f57a3 * ... Worm:Win32/Cridex.E phones back to 210.56.23.100 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS7590, Commission For Science And Technology, Pakistan).We also have another: MD5: 532bdd2565cae7b84cb26e4cf02f42a0 ** Worm:Win32/Cridex.E that is known to have phoned back to the same IP, 128.2.172.202 :8080/37ugtbaaaaa/enmtzaaaaa/pxos/The following MD5s are also known to have phoned back to this very same IP:MD5: a5c8fb478ff7788609863b83079718ec ... Worm:Win32/Cridex.EMD5: f739f99f978290f5fc9a812f2a559bbb ... Trojan.Win32.Bublik.swrThe third sample used in the IRS themed campaign: MD5: 32b4227ae379f98c1581f5cb2b184412 *** ... Worm:Win32/Cridex.E phones back to 202.143.189.180 :8080/Ajtw/UCygrDAA/Ud+asDAA (AS23974, Ministry of education, Thailand)..."* https://www.virustot...sis/1352985385/File name: IRS_Letter.exeDetection ratio: 36/44Analysis date: 2012-11-15** https://www.virustot...sis/1352985520/File name: IRS_Rejected.exeDetection ratio: 35/44Analysis date: 2012-11-15*** https://www.virustot...sis/1352985751/File name: IRS-AppID.exeDetection ratio: 36/44Analysis date: 2012-11-15___

The malicious payload is at [donotclick]headerandfooterprebuilt .pro/detects/quality_flyes-ticket_check.php hosted on 198.27.94.80 (OVH, US). There are probably other Bad Things on that IP address, I just can't see them yet.. blocking it would be a good precaution."___

The malicious payload is at [donotclick]bamanaco .ru:8080/forum/links/column.php hosted on the following IPs:203.80.16.81 (MYREN, Malaysia)216.24.196.66 (Psychz Networks, US)These IPs have been used to deliver malware several times recently, you should block access to them if you can."___

Rolex SPAM rolls out in time for Black Friday - http://www.gfi.com/b...r-black-friday/Nov 19, 2012 - "... no surprise that online shenanigans abound when big holidays and major events are just around the corner. What remains to be seen are the forms of these shenanigans we ought to expect to see online and in our inboxes. This Thanksgiving and Black Friday week, cyber criminals did not disappoint. We found this particular email spam in user inboxes these last few days:> http://www.gfi.com/b...ail-231x300.png From: Designer Watches by LR (could be random, too) To: {random} Subject: Start Black Friday today Message body: BLACK FRIDAY EVERY DAY UNTIL NOVEMBER 23RD! The best quality watch replicas on PLANET EARTH! The lowest priced high-end watches on the PLANET! www(dot)LRblackfridaytoday(dot)com BLACK FRIDAY HAS STARTED! Black Friday every day until November 23! All items reduced by 25-50% as of TODAY. Over 25,000 exact watch-copies have been reduced until Friday November 23rd. There plenty of time to get the watch of your dreams but we recommend doing it as soon as possible. This will ensure INSTOCK availability and fast delivery. NOTE: BLACK FRIDAY PRICES ARE AVAILABLE ON INSTOCK ITEMS ONLY! Currently every watch model is INSTOCK and ready to ship within 1 hour. THESE ARE NOT CHEAP CHINA STOCK KNOCK-OFFS: These are hand crafted high-end watch-copies. These are made using identical parts and materials. These are tested inside and out to be identical. There is no difference between our watch-copies and the originals! www(dot)LRblackfridaytoday(dot)com

Clicking either the image or the URLs on the email body leads users to the LRblackfridaytoday domain, which looks like this:> http://www.gfi.com/b...ica-300x274.pngThe domain resolves to an IP in the Czech Republic that does not only have a bad reputation but also uses a network that Google* warned us about. Our friends at Symantec** have also mentioned several variants of this spam mail (and published other Black Friday-related threats) that you might want to check out, too. Fake Rolex replica spammers, like fake pharma scammers, promise little luxuries but often never deliver. Giving out your credit card information to spammed sites is a sure way of putting yourself in potential debt with no “luxury replica item” in return..."* http://www.google.co...ic?site=AS:6830

In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra .ru:8080/forum/links/column.php hosted on the following IPs:82.165.193.26 (1&1, Germany)202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)216.24.196.66 (Psychz Networks, US)Plain list:82.165.193.26202.180.221.186203.80.16.81216.24.196.66___

Linux Rootkit doing iFrame Injections- https://www.secureli...rame_InjectionsNov 19, 2012 - "... an interesting piece of Linux malware came up on the Full Disclosure mailing-list*... not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario... The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy. The binary is more than 500k, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information). Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet. The malware ensures its startup by adding an entry to the /etc/rc.local script... Then it extracts the memory addresses of several kernel functions and variables and stores them in the memory for the later use... the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets... In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication... the malicious server is still active and it hosts other *NIX based tools, such as log cleaners... So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future. An excellent, detailed analysis of this rootkit was recently posted on CrowdStrike blog**."* http://seclists.org/...ure/2012/Nov/94

- http://atlas.arbor.n...ndex#200731788964-bit Linux Rootkit Doing iFrame InjectionsNov 20, 2012New development on a Linux-based rootkit shows increased attention from cybercriminals.Analysis: It's been a while since public linux rootkit activity has raised much attention. This particular rootkit is poorly designed however is/was effective at delivering malicious links to website visitors, it's primary goal. Several write-ups on the threat exist, including a post to the Full-Disclosure list, the Kapsersky blog and the CrowdStrike blog to provide plenty of analysis material to help admins detect this threat. Arbor is interested to hear if any customers have found this threat on their hosting platforms.Source: http://www.securelis...rame_Injections

Edited by AplusWebMaster, 22 November 2012 - 04:28 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malware sites to block 23/11/12- http://blog.dynamoo....ock-231112.html23 November 2012 - "This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one*). The payload is apparently "Ponyloader".* http://blog.dynamoo....ttonericom.htmlThe domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them...Plain list of IPs for copy-and-pasting:50.116.16.11864.94.101.20069.194.194.21670.42.74.15294.76.235.199173.246.103.59173.246.103.112173.246.103.124173.246.103.184173.246.104.21174.140.168.143198.74.52.86209.188.0.118 ..."(More detail at the dynamoo URL above.)___

Bogus Tsunami Warning leads to Arcom RAT- http://blog.trendmic...s-to-arcom-rat/Nov 23, 2012 - "... the website “Hoax Slayer”* pointed us to a spammed email message that warns users of a Tsunami and encourages them to click on a link to watch a video. The article, which the cybercriminals made to look like it came from “news.com.au”, claims that experts have predicted that a Tsunami will hit Australia on New Year’s Eve...> http://blog.trendmic...ontent_spam.jpgThe “watch now” link connects to {BLOCKED}be.us and downloads a file that pretends to be an AVI in a ZIP archive. In actual, “sunami_australian_agency_of_volcanology_and_seismology.avi.pif is a malicious file which Trend Micro detects as BKDR_DOKSTORMC.A... It remains unclear who is behind the attack and what the motivation may be... The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00... There are also free cracked versions available for download from a variety of sources. Arcom RAT was reportedly authored by “princeali” who has been actively coding RATs and malware for about a decade. The alias “princeali” is connected to a group known as NuclearWinterCrew which created the infamous NuclearRAT..."* http://www.hoax-slay...g-malware.shtmlNov 19, 2012___

Bogus Prize Offers on Facebook - 'Like and Share To Win'- http://www.hoax-slay...share-win.shtmlNov 22, 2012 - "Outline: Various messages distributed on Facebook claim that users can win expensive prizes such as Apple products or designer headphones just by liking and sharing a Facebook Page.Analysis: A great many of these supposed prize offers are totally bogus. The "promotions" are created primarily to artificially inflate the number of "likes" gained by the offending Facebook Page and to promote the page further by way of shared posts and images. Those who participate will -never- receive the promised prize. In some cases, the perpetrators of these fake promotions may also try to trick people into divulging their personal information... don't give these unscrupulous people what they want! Don't "like" their bogus Pages. Don't be tricked into spamming your friends with their fake promotions by sharing their pictures. Do not send your personal information to these people in the vain hope of winning a prize. Before entering any type of promotion or prize draw always take a closer look. If it seems suspect or dodgy, give it a miss."___

> https://www.google.c...c?site=AS:16276"... over the past 90 days, 5626 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-24, and the last time suspicious content was found was on 2012-11-24... we found 856 site(s) on this network... that appeared to function as intermediaries for the infection of 6279 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1369 site(s)... that infected 21258 other site(s)..."___

The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok .ru:8080/forum/links/column.php hosted on the following IPs:202.180.221.186203.80.16.81208.87.243.131216.24.196.66These are the same IPs as used in this attack yesterday*, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator .ru which I haven't seen yet being used in a malicious spam run, but it probably will be.* http://blog.dynamoo....redinoplru.html___

Phishing SCAM asks for TAN list photo- http://h-online.com/-175701826 Nov 2012 - "A new phishing email circulating in Germany is asking customers of the country's largest banking establishment, Deutsche Bank, to upload photographs or scans of their bank-issued TAN (Transaction Authentication Number) list to a maliciously fabricated web site. TANs are used by many banks in Germany to authenticate transactions during online banking sessions. The customer receives a printed list of TANs, essentially one-time passwords, via mail and has to use a randomly selected number from the list each time they want to send money or approve other transactions. The phishing email directs users to a deceptive web page where the scammers claim that the upload of the TAN list is needed as Deutsche Bank supposedly changes their iTAN technology for a mobile TAN (mTAN) system on 1 January 2013... The short time frame is apparently designed to increase the pressure on the victims of the phishing emails. The H's associates at heise online received copies of similar emails that were apparently asking for the information to be uploaded by the next day or the customer's account would be disabled... The web sites are a professional reproduction of Deutsche Bank's actual online banking interface..."___

Bogus Facebook ‘pending notifications’ emails serve client-side exploits and malware- http://blog.webroot....ts-and-malware/27 Nov 2012 - "A recently launched malicious spam campaign is impersonating Facebook, Inc. in an attempt to trick its one billion users into thinking that they’ve received a notification alerting them on activities they may have missed on Facebook. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the BlackHole Exploit Kit...Sample screenshot of the spamvertised email:> https://webrootblog....ts_malware1.png... Malicious payload serving URL: hxxp ://ceredinopl .ru:8080/forum/links/column.php?cfcjm=xbc229&fnhcuc=njx&svdp=2v:1k:1m:32:33:1k:1k:31:1j:1o&xdva=Sample client-side exploits served: CVE-2010-0188Malicious domain name reconnaissance:ceredinopl .ru – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...Upon successful client-side exploitation the campaign drops MD5: 9db13467c50ef248eaf6c796dffdd19c * ...PWS-Zbot.gen.aqw.Responding to the same IPs – 203.80.16.81 (AS24514); 208.87.243.131; 216.24.196.66 (AS40676); 202.180.221.186 (AS24496)...If users feel they received a bogus email that may not be coming from Facebook, they can alert Facebook by forwarding the message to phish@fb.com . In addition, users can check to see if their account has been compromised by visiting https://www.facebook.com/hacked ..."(More detail at the webroot URL above.)* https://www.virustot...1290d/analysis/File name: 413823066bcca9a7b298015fcba37b74a94d1950Detection ratio: 28/43Analysis date: 2012-11-25___

Fake Browser Updates - Malicious Ads... - http://blog.trendmic...rowser-updates/Nov 26, 2012 - "Thinking of updating your web browsers? Just make sure that you download from legitimate sources, instead of downloading malware disguised as browser updates onto your system. Just recently, we were alerted to a report* of several websites offering updates for Internet browsers like Firefox, Chrome, and Internet Explorer just to name some. Users may encounter these pages by clicking malicious ads. The bad guys behind this threat made an effort to make this ruse appear legitimate. These pages, as seen below, were made to look like the browsers’ official sites. To further convince users to download the fake update, the sites even offers an integrated antivirus protection:> http://blog.trendmic...te_browsers.gifInstead of an update, users download a malware detected asJS_DLOADR.AET, which was found capable of changing the downloaded binary to have a different payload. The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as hxxp ://{BLOCKED}browserupdate/install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to hxxp ://{BLOCKED}rtpage .com, a site that may host other malicious files that can further infect a user’s system... To avoid this ruse, users must exclusively download updates from a legitimate source or the software vendor’s official websites. Many browsers also include an integrated auto-update feature..."* http://stopmalvertis...th-malware.htmlsecurebrowserupdate .com = malvertisement...23 Nov 2012 - "... Internet users are told that their current browser version is out of date and they are invited to install the latest update. Victims are redirected to securebrowserupdate .com via a malvertisement. The domain securebrowserupdate .com has been registered on the 16th November 2012 via name .com. The registrant details are protected by a privacy service..." ___

The malicious payload is at [donotclick]ganiopatia .ru:8080/forum/links/column.php hosted on the following IPs:202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)208.87.243.131 (Psychz Networks, US)Note that ganalionomka .ru is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea." ___

BeyondTek IT / beyondtekit .com SPAM- http://blog.dynamoo....ond-tek-it.html27 Nov 2012 - "Here's an annoying spammer.. but who are they exactly? From: Nick Snow ---- BeyondTekIT Nick @ beyondtekit .com Date: 27 November 2012 10:24 Subject: Your IT Jobs - HR Hello: The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions. That being said please let me know if you currently have any hard-to-fill IT positions at that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions. We have candidates available across all technologies and skill-sets, including (this is only a partial list): Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc Systems Analysts / Business Analysts QA Engineers/Analysts/Testers DBA's - SQL Server, Oracle, MySQL, etc SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc Project Managers Systems Administrators - Linux, Window, etc Executive - CIO, CTO, VP of IT, etc PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation. Thank you. Nick Snow BeyondTek IT Tel: 714-572-1544 nick @ beyondtekit .com www .BeyondTekIT .com

The spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit .com and beyondtechit .com domains...I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam)..."

Edited by AplusWebMaster, 27 November 2012 - 02:31 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

FedEx SPAM / PostalReceipt .zip- http://blog.dynamoo....receiptzip.html27 Nov 2012 - "A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip Date: Tue, 27 Nov 2012 13:04:37 -0400 From: "Office Mail" [no_replyFRL@cleveland.com] Subject: ID (I)JI74 384 428 2295 7492 FedEx Order: AX-7608-99659670234 Order Date: Sunday, 25 November 2012, 10:35 AM Dear Customer, Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you. To receive a parcel, please, go to the nearest our office and show this postal receipt. GET POSTAL RECEIPT Best Regards, The FedEx Team. FedEx 1995-2012

In this case the download site was [donotclick]amsterdam.cathedralsoft .com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft .com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft .com has been compromised in this attack.VirusTotal detection rates are very low*. I don't currently have an analysis of the malicious payload."* https://www.virustot...sis/1354056475/File name: PostalReceipt.exeDetection ratio: 1/44Analysis date: 2012-11-27

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Bogus DHL emails serve malware- http://blog.webroot....-serve-malware/Nov 28, 2012 - "From UPS, USPS to DHL, bogus and malicious parcel tracking confirmations are a common social engineering technique often used by cybercriminals to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails. Continuing what appears to be a working social engineering tactic, cybercriminals are currently mass mailing bogus DHL ‘Express Delivery Notifications’ in an attempt to trick users into executing the malicious attachment. Once executed, it opens a backdoor on the affected host allowing the cybercriminals behind the campaign complete access to the infected PC...Sample screenshot of the spamvertised email:> https://webrootblog....pam_malware.pngSample detection rate for the malicious attachment: MD5: b0d4dad91f8e56caa184c8ba8850a6bd * ... Trojan-Downloader.Win32.Andromeda.daq.What’s particularly interesting about this MD5 is that there are files named T-Mobile-Bill.pdf.exe that have also been submitted to VirusTotal, indicating that there’s a -another- T-Mobile themed campaign, that’s currently circulating in the wild. PEiD Signature of the file: BobSoft Mini Delphi -> BoB / BobSoft. It also creates %AllUsersProfile%\svchost.exe on the system, plus a Registry Value – “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe runs every time Windows starts."* https://www.virustot...sis/1353774086/File name: DHL-EXPRESS-DELIVERY-NOTIFICATION.exeDetection ratio: 34/42Analysis date: 2012-11-24___

Fake Angry Birds Star Wars Android SMS Sender- http://www.gfi.com/b...oid-sms-sender/Nov 28, 2012 - "Back in April, fake copies of Angry Birds Space were in circulation – with the recent release of Angry Birds Star Wars, scammers have caused a great disturbance in the Force, as if millions of phones cried out in terror and were suddenly silenced... Fake apps are once again the order of the day – here’s one our Labs have found and taken a look at, offered up for download from a dedicated website over atangrybirdsstarwars-android(dot)ru [ 5.9.112.10 - AS24940**]> http://www.gfi.com/b...arsfakeapp1.pngAs with so many similar fakeouts, Android owners must download the app from the website then install it on their phone (downloading with anything other than your mobile device – say, a web browser – offers up a .jar file instead)... This one acts like a typical Boxer Android file, sending premium SMS messages before downloading a valid version of the software. All in all, a rather costly mistake given you could pay the one time fee for the legitimate Google Play download and Angry Bird yourself into a (non-scammed) frenzy instead. VirusTotal results can be found here*, and we detect this as Trojan.AndroidOS.Generic.A with VIPRE Mobile.End-users should always be cautious of websites offering up Android files that aren’t the Google Play store, especially when based around a hot new property or must-have game..."* https://www.virustot...sis/1354052956/File name: Angry_Birds_Star_Wars_install.apkDetection ratio: 7/43Analysis date: 2012-11-27** https://www.google.c...c?site=AS:24940"... over the past 90 days, 5998 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-11-28, and the last time suspicious content was found was on 2012-11-28... Over the past 90 days, we found 817 site(s)... that appeared to function as intermediaries for the infection of 4963 other site(s)... We found 1714 site(s)... that infected 9332 other site(s)..."> http://sitevet.com/db/asn/AS24940Blacklisted URLs: 3081___

The malicious payload is at [donotclick]ganadeion .ru:8080/forum/links/column.php hosted on some familiar looking IP addresses that you should block if you can:202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)208.87.243.131 (Psychz Networks, US)"___

Fake UPS email serves Fake AV- http://www.gfi.com/b...ves-up-fake-av/Nov 28, 2012 - "... seasonal looking fake UPS delivery notification, claiming in broken English that “Your package delivered to the nearest Postal Office. When receiving, please show a mailing receipt. Address of the nearest office you can find on our website”.> http://www.gfi.com/b...axNI1r6pupn.pngDepending on the spam campaign you happen to stumble upon, you’ll most likely be redirected through a collection of websites before arriving at your final destination which in this case happens to be Fake AV – specifically, System Progressive Protection.> http://www.gfi.com/b.../upsfakeav2.pngFake UPS spam is a perennial favourite of Malware pushers... We detect the above as Lookslike.Win32.Winwebsec.p (v)... treat delivery notification emails with the utmost caution. If in doubt, simply visit the website of your chosen parcel delivery service and have fun typing in tracking codes instead. It’s a lot safer."

Edited by AplusWebMaster, 28 November 2012 - 10:10 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

The malicious payload is at [donotclick]dimarikanko .ru:8080/forum/links/column.php hosted on a bunch of familiar looking IP addresses which have been used in several recent attacks:202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)208.87.243.131 (Psychz Networks, US)..."___

Vobfus sites to block- http://blog.dynamoo....s-to-block.html29 Nov 2012 - "These domains and sites appear to be connected to the Vobfus worm, hosted on 222.186.36.108 (Chinanet Jiangsu Province Network). There seems to be quite a bit of this -worm- about..."(More detail at the dynamoo URL above.)

What’s the Fuss with WORM_VOBFUS?- http://blog.trendmic...th-worm_vobfus/Nov 29, 2012 - "Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known, but easily forgotten safe computing practices... Disabling AUTORUN has its merits – but not everyone knows. Worms, like WORM_VOBFUS, are known to propagate by taking advantage of Windows Autorun feature on drives. To address this, users are often advised to disable Autorun to prevent their drives from being infected. For reason of inconvenience (or maybe forgetfulness?) users do -not- disable this feature... As WORM_VOBFUS and other threats using old but reliable exploit show, threats do not burn and turn into ashes easily. Sometimes, they fade away but surface again..."___

Dynamic DNS sites you might want to block II- http://blog.dynamoo....want-to_29.html29 Nov 2012 - "These Dynamic DNS domains belong to a mystery outfit called dnsdynamic .org, and several of them seem to be in the process of being abused by third parties (for example). The registrations seem to be anonymised, some poking around at the recent WHOIS history of one of these domains (freedynamicdns .com) reveals ownership details of: Manager, Domain manager@invertebrateisp.com Invertebrate ISP PO Box 405 Glenmont, New York 12077 United States +1.2623946781More digging at invertabrateisp .com comes up with a real name: Wilde, Tim [redacted] [redacted] Glenmont, New York 12077 United States [redacted] Fax -- Anyway, Mr Wilde is -not- connected with the malicious activity going on with these domains, but he is providing a service that is being abused. Interestingly he founded DynDNS before selling it on. Dynamic DNS services can be useful, but my personal recommendation is that you should consider blocking them as the bad guys are very good at abusing them. Overall, these are not as bad as the ones run by ChangeIP .com (see here*). There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (-yellow- highlighted ones have some malware, -red- highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely..."(More detail and "the lists" at the dynamoo URL above)

DNS server redirections ...- http://www.theregist...mania_dns_hack/28 Nov 2012 - "A hacker -redirected- web surfers looking for Yahoo, Microsoft or Google to a page showing a TV test card by apparently poisoning Google's public DNS system. Punters and organisations relying on Google's free service were affected, rather than the websites themselves being compromised. Visitors to yahoo .ro, microsoft .ro and google .ro were served a message from an Algerian miscreant using the moniker MCA-CRB. Traffic destined for the Romanian websites of Kaspersky Lab and Paypal was also hijacked... MCA-CRB is a prolific online graffiti artist who has defaced at least 5,000 sites, according to records kept by Zone-H*. The latest attack was carried out to gain bragging rights rather than to trouser a profit or stage a political protest... Last week, defaced copies of Google, Yahoo!, Microsoft, eBay and Apple's Pakistan websites were shown to surfers, again as a result of a DNS hijack... the affected Romanian sites was restored by Wednesday lunchtime, except Paypal.ro which proved difficult to reach in any case..."* http://www.zone-h.or...otifier=MCA-CRB___

Bogus ‘Meeting Reminder” emails serve malware- http://blog.webroot....-serve-malware/Nov 29, 2012 - "Cybercriminals are mass mailing malicious emails about a meeting you wouldn’t want to attend .. Once executed, the malicious attachment opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host. Naturally, we’ve been monitoring their operations for quite some time, and are easily able to identify multiple connections between their previously launched campaigns...Sample screenshot of the spamvertised email:> https://webrootblog....pam_malware.png... the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 * ... Worm:Win32/Cridex.E.It also creates the following registry keys:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7BThe newly created Registry Value is:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]KB00121600.exe = “”%AppData%\KB00121600.exe” so that KB00121600.exe runs every time Windows starts.Upon execution, the sample phones back to 64.150.187.72 :8080/AJw/UCygrDAA/Ud+asDAA (AS10316**)... We’ve also seen the same IP (64.150.187.72) used as name server in a previously profiled malicious campaign..."* https://www.virustot...sis/1353778430/File name: Report.exeDetection ratio: 38/44Analysis date: 2012-11-24** https://www.google.c...c?site=AS:10316

Edited by AplusWebMaster, 29 November 2012 - 03:52 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

(Here they come...)Santa SCAMS...- http://community.web...amta-claus.aspxNov 30, 2012 - "... detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus... They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa. As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer... > http://community.web...7360.santa1.png... subject lines to catch your attention and elicit a response:- Personal Letter From Santa For Your Child- (A) Letter From Santa For Your Child- Santa Claus Letters- A personal letter from Santa for your little ones- Custom Santa Letters > http://community.web...7848.santa2.pngClicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page: Simple browser detection and IP geolocation techniques are used to appear convincing.Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams, or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately..."___

The malicious payload is at [donotclick]podarunoki .ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can:202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)..."___

The malicious payload is at [donotclick]mokingbirdgives .org/less/demands-probably.php (report here) hosted on 184.82.100.201 (HostNOC, US) along with the following domains which also appear to be malicious: ..."(Long list at the dynamoo URL above..)

Edited by AplusWebMaster, 30 November 2012 - 07:45 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malicious email MMS targets mobile phone users- http://community.web...hone-users.aspx2 Dec 2012 - "... Websense... has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:> http://community.web...s/3731.both.pngBecause mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory... It downloads malicious binaries from these remote servers:> http://community.web..._downloader.jpg173.254.28.81 ... During our analysis, some of the remote servers were still available, and the malicious binary files were still downloadable..."___

The malicious payload is at [donotclick]panamechkis .ru:8080/forum/links/column.php hosted on:113.197.88.226 (ULNetworks, Korea)202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)Of these, 113.197.88.226 seems to be a new one which should be added to your blocklists."___

Fake FedEx emails lead to malware- http://blog.webroot....ead-to-malware/Dec 4, 2012 - "At the end of October, a cybercriminal or group of cybercriminals launched three massive spam campaigns in an attempt to trick users into clicking on a deceptive link and downloading a malicious attachment. Upon execution, the malware phones back to the command and control servers operated by the party that launched it, allowing complete access to the infected PC. This time they didn’t try impersonating USPS, UPS or DHL, but FedEx...Sample screenshot of the spamvertised email:> https://webrootblog....lware.png?w=481Second screenshot of a sample spamvertised email, again, part of the same campaign:> https://webrootblog....plate.png?w=545Third screenshot of a sample spamvertised email used in the campaign:> https://webrootblog....plate.png?w=495Sample detection rate for the first sample: MD5: 0e2e1ef473bb731d462fb1c8b3dd7089 * ... Trojan.Win32.Buzus.mruvUpon execution, it phones back to the following URLs:hxxp ://91.121.90.80 :8080/...hxxp ://84.40.69.119 :8080/...hxxp ://211.172.112.7 :8080/...Sample detection rate for the second sample: MD5: ab25d6dbf9b041c0a7625f660cfa17aa ** ... Trojan-Dropper.Win32.Dapato.bxhgUpon execution, it phones back to the following URLs:hxxp //59.25.189.234 :8080/...hxxp //140.135.66.217 :8080/...hxxp //82.113.204.228 :8080/...hxxp //59.126.131.132 :8080/...None of these IPs currently respond to any specific domains, besides 59.126.131.132.songwriter .tw is currently responding to 59.126.131.132 – Email: songwriter .tw@ gmail .com...> https://webrootblog....rver.png?w=1024The domain seems to be a legitimate Taiwanese songwriting company/individual, indicating that their server has been compromised and is currently used as command and control server.Sample detection rate for the third sample: MD5: 252c797959273ff513d450f9af1d0242 *** ... TrojanDownloader:Win32/Kuluoz.B..."* https://www.virustot...sis/1354489330/File name: Postal_Receipt.exeDetection ratio: 35/46Analysis date: 2012-12-02** https://www.virustot...sis/1354489404/File name: Postal_Receipt1.exeDetection ratio: 37/46Analysis date: 2012-12-02*** https://www.virustot...sis/1354489465/File name: PostalReceipt2.exeDetection ratio: 25/46Analysis date: 2012-12-02___

"ARK Bureau" fake job offer- http://blog.dynamoo....-job-offer.html4 Dec 2012 - "The ARK Architecture Bureau is a genuine company. This fake job offer is -not- from ARK Bureau, but is some sort of illegal activity such as money laundering. From: Odette Holcomb [mailto:nbnian@esonchem.co.kr] Sent: 03 December 2012 12:32 Subject: Help wanted. POSITION: Customer Assistant ABOUT COMPANY: ARK Bureau has served hundreds of clients in the United Kingdom, Poland, France and Germany since 1998. The firm was created by Lorinda Rogers, a young architect of Canadian origin. From its inception, ARK Bureau.s vision for design and construction was based on system approach, incorporating both building and landscape design. That philosophy has always meant the highest quality for our clients. That.s probably why ARK Bureau enjoys a strong loyalty from the past customers. Now we have open vacancy in the U.S.: Customer Assistant RESPONSIBILITIES: - Process payments from customers; - Filing invoices, statements and associated documents; - Meet and exceed performance and time management goals; - Other duties as required. GENERAL SKILLS: - High communication skills; - Strong problem solving and planning skills; - Experienced computer & internet user. APPLY: To apply please: arkbureaumanager @nokiamail .com

An alternative version uses the email address of arkbureau_manager@nokiamail.com. The two samples that I have seen have originating IP addresses of 174.52.171.8 (Comcast, US) and 109.173.54.245 (NCNET, Russia). You should give this fake company a wide berth unless you want to end up in serious trouble with law enforcement."___

ADP SPAM / fsblimitedrun .pro- http://blog.dynamoo....itedrunpro.html3 Dec 2012 - "This fake ADP spamleads to malware on fsblimitedrun .pro: From: ADP Transaction Status Date: 3 December 2012 17:55 Subject: ADP Major Accounts Processed Case Valued customer: James lately covered Transaction at your account. Event # 433933082. Case Caption: 6CO7 Incident Substantiation: Download We at ADP obtain to create a personalized and client focused experience with every client interaction. Please view transaction changed by visiting the link below. Click here - ADP Major Accounts Operation Progress mentioned above Best Wishes, James Brooks Vice President of Customer Care Department ADP ADP Major Accounts ***Reminder*** Please remember to complete your Semi-Annual Service Quality Survey! Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP's services. ********** This e-mail was delivered from an robot account. Please don't reply to this message. auomatic informational system unable to accept incoming email.

The malicious payload is at [donotclick]fsblimitedrun .pro/detects/survey_success-complete.php hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) along with the following malicious domain: fdic-update-install .info . Blocking access to this IP address would probably be prudent.___

The malicious payload is at [donotclick]somaliaonfloor .ru:8080/forum/links/public_version.php hosted on the same IPs used in this attack.113.197.88.226 (ULNetworks, Korea)202.180.221.186 (GNet, Mongolia)203.80.16.81 (MYREN, Malaysia)..."___

"Most recent events on Facebook" SPAM / attachedsignup .pro- http://blog.dynamoo....ebook-spam.html4 Dec 2012 - "This fake Facebook spamleads to malware on Most recent events on attachedsignup .pro: Date: Tue, 4 Dec 2012 15:19:16 +0100 From: " Facebook Security Team" [fractionallyb9@hendrickauto.com] Subject: Most recent events on Facebook facebook Hi [redacted], You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually. Please use the link below to reactivate :http://www.facebook.com/home.php If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it. Best regards, The FaceBook Team Please note: Facebook will never ask for your personal data through email. This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906

Zbot sites to block 5/12/12- http://blog.dynamoo....lock-51212.html5 Dec 2012 - "These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10 .com domain, or are co-hosted on the same server and have malicious characteristics. I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.IP addresses and hosts31.184.244.73 (TOEN Incorporated, UAE)62.122.74.47 (Leksim, Poland)77.72.133.69 (Colobridge, Germany)78.46.205.130 (Hetzner, Germany)78.140.135.211 (Webazilla, Gibraltar)85.143.166.132 (PIRIX, Russia)87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)91.231.156.25 (Sevzapkanat-Unimars, Russia)91.238.83.56 (Standart LLC, Moldova)146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)178.162.132.202 (Tower Marketing, Belize)178.162.134.176 (Silin Vitaly Petrovich, Belarus)188.93.210.28 (Hosting Service, Russia)195.88.74.110 (Info Data Center, Bulgaria)198.144.183.227 (Colocrossing, US)... Recommended blocklist:31.184.244.7362.122.72.0/2177.72.133.6978.46.5.128/2978.140.135.21185.143.166.0/2487.107.96.0/1991.211.119.5691.231.156.0/2491.238.83.0/24146.185.255.0/24178.162.132.0/24178.162.134.128/26188.93.210.28195.88.74.110198.144.183.227 ..."(More detail at the dynamoo URL above.)___

BBB SPAM / leberiasun .ru- http://blog.dynamoo....beriasunru.html5 Dec 2012 - "This fake BBB spamleads to malware on leberiasun .ru: Date: Wed, 5 Dec 2012 11:32:47 +0330 From: Bebo Service [service@noreply.bebo.com] Subject: Urgent information from BBB Attn: Owner/Manager Here with the Better Business Bureau notifies you that we have received a complaint (ID 243917811) from one of your customers with respect to their dealership with you. Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible. We are looking forward to your prompt reply. Regards, JONELLE Payne

SPAM gets Socl ...- http://www.gfi.com/b...spam-gets-socl/Dec 6, 2012 - "Microsoft have thrown open the gates to their new social network, Socl (which has a faint whiff of Pinterest about it and is also pronounced “social”. No, really). It didn’t take spammers very long to sink their claws in... we have all the Canadian Pharmacy spam you can eat...> http://www.gfi.com/b...2/soclspam1.jpg... links all currently lead to a page touting a 404 error... we can only hope Microsoft (will) have a Banhammer in place to deal with what will no doubt be a bump up in bad content as word of the latest social network to hit the ground running spreads across the news. We haven’t come across any Malware links yet, but as with Tumblr, Pinterest and Twitter end-users shouldn’t abandon common sense in favour of shiny, blinky things carrying a sting in the tail..."___

Amazon SPAM / evokeunreasoning .pro- http://blog.dynamoo....asoningpro.html6 Dec 2012 - "A few different variants of this today, all pretending to be from Amazon and leading to malware on evokeunreasoning .pro:Date: Thu, 6 Dec 2012 17:32:38 +0200 From: "Amazon . com" [digital-notifier@amazon.com] Subject: Your Amazon.com order receipt. Click here if the e-mail below is not displayed correctly. Follow us: Your Amazon.com Today's Deals See All Departments Dear Amazon.com Member, Thanks for your order, clongmore@arrowuk.com! Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account. Order Overview: E-mail Address: [redacted] Billing Address: 1113 4th Street Fort North NC 71557-2319,,FL 67151} United States Phone: 1-491-337-0438 Order Grand Total: $ 50.99 Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More Order Summary: Details: Order #: C47-8578330-3362713 Subtotal of items: $ 50.99 ------ Total before tax: $ 50.99 Tax Collected: $0.00 ------ Grand Total: $ 50.00 Gift Certificates: $ 0.99 ------ Total for this Order: $ 50.99 Find Great Deals on Millions of Items Storewide We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here. 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824 Please note that this message was sent to the following e-mail address: [redacted]

The malicious payload is at [donotclick]evokeunreasoning .pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving."___

Phishing For Bank Account Information- http://blog.webroot....nt-information/Dec 6, 2012 - "... always on the look out for anything that looks ‘phishy’, even if it’s on your own personal time. Today, I opened my personal email to find this:> https://webrootblog....png?w=413&h=444Although the email looked very convincing, I don’t bank with Smile Bank so I knew something was up. Smile Bank is an actual bank based in the UK. The bad guys used a spoofed email address to make it look like it came from the legit Smile Bank domain smile.co.uk. If someone did bank with Smile Bank, I can see how they could easily be tricked. It’s the “Click here to proceed” link that gives the bad guys away. The link goes to a page hosted by pier3 .hk, which is a legitimate domain, but appears to be compromised with a simple HTM page that is a -redirect- to the real malicious site. The redirect sends you here:> https://webrootblog....png?w=491&h=354... This trick could easily be done with any large bank. Make sure to always be suspicious of any email claiming to be from your bank that -threatens- your account has been locked and insists that you need to enter your account information. Also, if the link to enter your account information isn’t to the URL of the bank it claims to be from, you know it’s malicious."___

The malicious payload is at [donotclick]cinemaallon .ru:8080/forum/links/column.php hosted on the following familiar IPs:202.180.221.186 (Gnet, Mongolia)208.87.243.131 (Psychz Networks, US)..."___

Bogus ‘Facebook Account Cancellation Request’ emails serve client-side exploits and malware- http://blog.webroot....ts-and-malware/Dec 5, 2012 - "Facebook users, watch what you click on! Cybercriminals are currently mass mailing bogus “Facebook Account Cancellation Requests“, in an attempt to trick Facebook’s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host...Sample screenshot of the spamvertised email:> https://webrootblog....lware.png?w=629... Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840Malicious domain name reconnaissance:lakkumigdc .com – 68.168.100.135 – Email: dolphinkarthi @gmail .comName Server: NS1.MACROVIEWTECH .COM – 68.168.100.136Name Server: NS2.MACROVIEWTECH .COM – 68.168.100.137Domains responding to the same IP, including domains also registered with the same GMail account...Upon successsful client-side exploitation, the campaign drops MD5: 8b3979c1a9c85a7fd5f8ff3caf83fc56 * ... PWS-Zbot.gen.aruUpon execution, the sample creates the following file on the affected hosts:%AppData%\Ixriyv\emarosa.exe – MD5: A33684FD2D1FA669FF6573921F608FBBIt also creates the following directories:%AppData%\Ixriyv%AppData%\UxwonylAs well as the following Mutex: Local\{7A4AAF46-5391-8FF9-A32F-78A34C8B50D7}It then phones back to shallowave.jumpingcrab .com (93.174.95.78) on port 8012. Another similar subdomain on this host (takemeout.jumpingcrab .com), was also seen in a crowdsourced DDoS campaign in 2009..."* https://www.virustot...36f00/analysis/File name: 8b3979c1a9c85a7fd5f8ff3caf83fc56Detection ratio: 3/46Analysis date: 2012-12-03___

The malicious payload is at [donotclick]ibertomoralles .com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server..."(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 06 December 2012 - 08:34 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#1 malware threat - Blackhole exploit kits- http://h-online.com/-17629135 Dec 2012 - "... according to Sophos*, 30.81% of sites hosting it are in the United States, which is followed by Russia at 17.88% and Chile at 10.77%. Sophos says that between October 2011 and March 2012, almost 30% of detected threats were either directly from Blackhole or diversions to Blackhole kits that had been rigged on formerly reputable sites... Sophos says that in 2012 the biggest problems were cloud services, the Bring Your Own Device (BYOD) movement, hacking of SQL databases, improving social engineering methods, and an increasing number of attacks on the Android mobile operating system. The latter has seen everything from SMS fraud, apparent botnets on phones, banking malware, and bogus or rogue applications from application stores..."* http://www.sophos.co...le-exploit.aspxVideo - 3:02

Fake PayPal Emails: Windows 8 and Vintage Photo Collections- http://www.gfi.com/b...to-collections/Dec 7, 2012 - "If you want to panic over a mysterious transaction on Ebay to the tune of $564.48 for a “Microsoft Windows 8 Pro Anytime Upgrade”, then this is probably the email you’ve been waiting for.It reads:You have made an Ebay.com purchase. Hello [removed], You sent a payment of $564.48 USD to [removed]. Microsoft Windows 8 Pro Anytime Upgrade Item# 16 $564.48 USD> http://www.gfi.com/b...12/ebaywin8.pngClicking the link in the fake PayPal email will take end-users to the usual round of Cridex / Blackhole URLs. On a similar note, there’s an additional email floating around that claims you purchased 84 copies of “Vintage photo collection sexy college girls 1990s or 2000s”.> http://www.gfi.com/b...2/ebaywin82.pngLast time we saw this one was back in June* where the tally was -23- ..."* http://blog.dynamoo....arshipznet.html___

In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz .org which contains some heavily obfuscated javascript that eventually leads to a malicious landing page on [donotclick]nikolamireasa .com/less/demands-probably.php hosted on 188.93.210.133 (logol .ru, Russia). That IP hosts the following toxic domains that you should block:nikolamireasa .comportgazza. cu .cchopercac. cu .cchopercas. cu .ccukumuxur. qhigh .comymuvyjih.25u .com... you might just want to cut your losses and block188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate .com... if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way. Both api.myobfuscate .com and www.myobfuscate .com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:htmlobfuscator .comapi.htmlobfuscator .comhtmlobfuscator .infojavascript-obfuscator .infojavascriptcompressor .infojavascriptcrambler .comjavascriptobfuscate .comjavascriptobfuscator .infomyobfuscate .comapi.myobfuscate .comobfuscatorjavascript .comapi.obfuscatorjavascript .comjs.robotext .comjs.robotext .infojs.robottext .ru

In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots."

AICPA SPAM / ibertomoralles .org- http://blog.dynamoo....orallesorg.html7 Dec 2012 - "I haven't seen fake AICPA spam like this for a while, it leads to malware on ibertomoralles .org: From: AICPA [noreply@aicpa.org] Date: 7 December 2012 16:55 Subject: Your accountant license can be cancelled. You're receiving this information as a Certified Public Accountant and a member of AICPA. Having any problems reading this email? See it in your favorite browser. AICPA logo Revocation of CPA license due to income tax fraud accusations Dear AICPA participant, We have been informed of your potential involvement in tax return swindle on behalf of one of your employers. In obedience to AICPA Bylaw Article 700 your Certified Public Accountant position can be discontinued in case of the aiding of filing of a phony or fraudulent income tax return for your client or employer. Please be notified below and provide explanation of this issue to it within 14 work days. The rejection to provide elucidation within this time-frame would finish in decline of your Accountant status. Delation.pdf The American Institute of Certified Public Accountants. Email: service @aicpa .org Tel. 888.777.7077 Fax. 800.362.5066=================== Date: Fri, 7 Dec 2012 18:31:58 +0100 From: "AICPA" [do-not-reply @aicpa .org] Subject: Tax return assistance contrivance. You're receiving this note as a Certified Public Accountant and a part of AICPA. Having any problems reading this email? See it in your favorite browser. Cancellation of Public Account Status due to tax return indictment Respected accountant officer, We have received a note of your presumable interest in income tax fraud for one of your clients. In concordance with AICPA Bylaw Article 600 your Certified Public Accountant status can be discontinued in case of the event of submitting of a fake or fraudulent income tax return on the member's or a client's behalf. Please familiarize yourself with the complaint below and provide your feedback to it within 14 work days. The rejection to respond within this time-frame will result in end off of your CPA license. Delation.doc The American Institute of Certified Public Accountants. Email: service@aicpa.org Tel. 888.777.7077 Fax. 800.362.5066

The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday*."* http://blog.dynamoo....orallescom.html___

Sendspace "You have been sent a file" SPAM / pelamutrika .ru- http://blog.dynamoo....-file-spam.html7 Dec 2012 - "This fake Sendspace spamleads to malware on pelamutrika .ru:Date: Fri, 7 Dec 2012 10:53:57 +0200 From: Badoo [noreply @badoo .com] Subject: You have been sent a file (Filename: [victimname]-64.pdf) Sendspace File Delivery Notification: You've got a file called [victimname]-792244.pdf, (337.19 KB) waiting to be downloaded at sendspace.(It was sent by CHASSIDY PROCTOR). You can use the following link to retrieve your file: Download Link The file may be available for a limited time only. Thank you, sendspace - The best free file sharing service. ---------------------------------------------------------------------- Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]pelamutrika .ru:8080/forum/links/column.php hosted on the following familiar IP addresses which you should definitely try to block:202.180.221.186 (GNet, Mongolia)208.87.243.131 (Psychz Networks, US)"___

Searching for “Windows Android Drivers” Leads to Malware and Bogus Google Play Markets- http://www.gfi.com/b...e-play-markets/7 Dec 2012 - "If you’re on the lookout for Android USB drivers for your Windows OS, be very careful. Such strings like “Windows Android Drivers” or combinations of these may bring up results that you would rather stay away from. Our researchers in the AV Labs have found this peculiar search result on Yahoo!... Visiting the Russian URL, bestdrivers(dash)11(dot)ru, automatically downloads a file called install.exe... Running the .exe file, which is a Trojan that we detect as Trojan.Win32.Generic!BT, allows it to modify the start page of the user’s IE browser to 94(dot)249(dot)188(dot)143/stat/tuk/187, a sign-up page for a Russian “escort” site. It does this so users are directed to the page by default whenever they open their IE browser..." (-aka- Hijacked...)(More detail and screenshots at the gfi URL above.)___

Christmas themed SCAMS on Facebook ...- http://community.web...n-facebook.aspx06 Dec 2012 - "... We spotted more than 3,000 unique URLs used for this scam on Facebook. The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.> http://community.web...k_5F00_xmas.jpg... Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam web sites:208.73.210.147213.152.170.193184.107.164.158216.172.174.53199.188.206.214198.187.30.161198.154.102.2868.168.21.68198.154.102.29174.132.156.176198.154.102.2788.191.118.153208.91.199.252We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong..."

Edited by AplusWebMaster, 08 December 2012 - 03:31 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake Sendspace SPAM "You have been sent a file" / anifkailood .ru:- http://blog.dynamoo....space-spam.html10 Dec 2012 - "This fake Sendspace spamleads to malware on anifkailood .ru:Date: Mon, 10 Dec 2012 06:01:01 -0500 From: "Octavio BOWMAN" [AdlaiBaldacci @telefonica .net] Subject: You have been sent a file (Filename: [redacted]-722.pdf) Sendspace File Delivery Notification: You've got a file called [redacted]-018.pdf, (767.2 KB) waiting to be downloaded at sendspace.(It was sent by Octavio BOWMAN). You can use the following link to retrieve your file: Download Link The file may be available for a limited time only. Thank you, sendspace - The best free file sharing service. Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]anifkailood .ru:8080/forum/links/column.php hosted on the following IPs:202.180.221.186 (GNet, Mongolia)212.162.52.180 (Secure Netz, Germany)212.162.56.210 (Secure Netz, Germany)..."___

Fake AICPA SPAM / eaglepointecondo .co- http://blog.dynamoo....ntecondoco.html10 Dec 2012 - "This fake AICPA spamleads to malware on eaglepointecondo .co:Date: Mon, 10 Dec 2012 19:29:21 +0400 From: "AICPA" [alerts@aicpa.org] Subject: Income fake tax return accusations. You're receiving this email as a Certified Public Accountant and a member of AICPA. Having difficulties reading this email? Take a look at it in your browser. Termination of Public Account Status due to income tax fraud allegations Respected accountant officer, We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer. Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license. SubmittedReport.doc The American Institute of Certified Public Accountants. Email: service @aicpa .org Tel. 888.777.7077 Fax. 800.362.5066

The malicious payload is at [donotclick]eaglepointecondo .co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently* for malware distribution..."* http://blog.dynamoo....q=59.57.247.185

Your CPA License has -not- been revoked- https://isc.sans.edu...l?storyid=14674Last Updated: 2012-12-10 - "I have been seeing some e-mails hitting my spam traps today, warning me of my revoked CPA license. No, I am not a CPA. But the e-mails are reasonably well done, so I do think some CPAs may fall for them. At least they got the graphics nice and pretty, but the text could be better worded.> https://isc.sans.edu...es/CPAEmail.pngThe only clickable link is the "Delation.pdf" (maybe that should be deletion?). Upon clicking the link, we are send on the usual malware redirect loop:The first stop is httx ://tesorogroup .com/components/com_ag_google_analytics2/taxfraudalert.htmlIt includes javascript and meta tag redirects tohttx ://eaglepointecondo. co/ detects /denouncement-reports.php... which will test our browser for vulnerable plugins and try to run a java applet. Looks all very "standard". You may want to check your DNS server logs for anybody resolving tesorogroup.com or eaglepointecondo.co . The two host currently resolve to 64.15.152.49 and 59.57.247.185 respectively.Wepawet does a nice job analysing the obfuscated javascript:http://wepawet.isecl...5160668&type=js ..."___

Facebook SCAM goes wild - doubles over the weekend ...- http://community.web...he-weekend.aspx10 Dec 2012 - "Last week we wrote a blog* about a specific Facebook scam that appeared to spread rather aggresively... Websense.. detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat... The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid .org... A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:> http://community.web...mas_5F00_23.jpgScreenshot of the scam's main page:> http://community.web...mas_5F00_24.jpgHow the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:> http://community.web...mas_5F00_25.jpg

Facebook Spam leverages/abuses Instagram App- http://blog.trendmic...-instagram-app/Dec 10, 2012 - "... social networking sites have been often used to proliferate malware. Just recently, we spotted a Facebook clickjacking attack that leverages and abuses Instagram to point users to malicious websites. Users encounter this threat by being tagged in a photo posted by one of their contacts on Facebook. The post states that users can know who visited their profile on Faceboofk and how often. It also includes a photo posted via Instagram. We noticed that the photo and the names used in the “Recent Profile Views” (see below) are used repeatedly for other attacks.> http://blog.trendmic..._screenshot.gifShould users decide to click the link, they are lead to a page with instructions on how to generate the verification code. Once done, a pop-up window appears, which is actually the Instagram for Facebook app asking users to click “Go to App” button. Once done, it -redirects- users to a page that looks like the Facebook Home page.> http://blog.trendmic...ge_facebook.gif... the address bar is different from the legitimate Facebook homepage. Users are then asked to copy and paste the malicious URL (which varies per user) in a certain dialog box and to click ‘continue’... the link so far gathered 825,545 clicks worldwide, mostly coming from the Philippines and India. The said link is attributed to the account maygup88, who is also responsible for other 130 domains blocked. This type of threat on Facebook has taken on different forms these past months, usually under the veil of popular brands such as Diablo 3 and iPad. It even expanded to other social networking sites like Pinterest and Tumblr, which only means one thing: users are still falling for these scams. With this in mind, users are advised to take precautionary steps such as double-checking the legitimacy of links and posts. And remember: just because a contact posted that link, it does not mean it’s safe..."___

AICPA SPAM / eaglepointecondo .org- http://blog.dynamoo....aicpa-spam.html10 Dec 2012 - "Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo .org:Date: Mon, 10 Dec 2012 18:51:38 +0100 From: "AICPA" [info@aicpa.org] Subject: Tax return assistance fraud. You're receiving this message as a Certified Public Accountant and a part of AICPA. Having any issues reading this email? Overview it in your favorite browser. Suspension of CPA license due to income tax indictment Valued AICPA participant, We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer. Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status. Delation.pdf The American Institute of Certified Public Accountants. Email: service@aicpa.org Tel. 888.777.7077 Fax. 800.362.5066 =================== Date: Mon, 10 Dec 2012 14:50:40 -0300 From: "AICPA" [noreply@aicpa.org] Subject: Your accountant license can be end off. You're receiving this message as a Certified Public Accountant and a part of AICPA. Having problems reading this email? Review it in your browser. Suspension of Accountant status due to tax return fraud prosecution Respected AICPA member, We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer. Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career. SubmittedReport.pdf The American Institute of Certified Public Accountants. Email: service@aicpa.org Tel. 888.777.7077 Fax. 800.362.5066

In this case the malicious payload is at [donotclick]eaglepointecondo .org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today*."* http://blog.dynamoo....ntecondoco.html___

GFI Labs Email Roundup for the Week- http://www.gfi.com/b...for-the-week-5/Dec 10, 2012 - "... noteworthy email threats for the week of December 3 to 7:- Phishers Target Wells Fargo Clients- Message from the Department of Investigations- Amazon eBook Spam in the Wild- Spam from AICPA ...(More detail and screenshots at the gfi URL above).

Edited by AplusWebMaster, 10 December 2012 - 08:49 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

The malicious payload is at [donotclick]aseniakrol .ru:8080/forum/links/column.php hosted on a bunch of IPs that have been used for malware before:202.180.221.186 (GNet, Mongolia)212.162.52.180 (Secure Netz, Germany)212.162.56.210 (Secure Netz, Germany)..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake Sendspace emails lead to BlackHole Exploit Kit- http://blog.webroot....le-exploit-kit/Dec 12, 2012 - "Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised -bogus- ‘Sendspace File Delivery Notifications‘. Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...Sample screenshot of the spamvertised email:> https://webrootblog....exploit_kit.png... Sample client-side exploits served: CVE-2010-0188Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0 * ... Worm:Win32/Cridex.EOnce executed it creates %AppData%\kb00121600.exe on the affected system.The sample also creates the following registry entries:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7BAs well as the following Mutexes:Local\XMM00000418Local\XMI00000418Local\XMRFB119394Local\XMM000005E4Local\XMI000005E4Local\XMM0000009CLocal\XMI0000009CLocal\XMM000000C8Local\XMI000000C8It then phones back to hxxp ://210.253.102.95 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp ://123.49.61.59 :8080/AJtw/UCyqrDAA/Ud+asDAA/ ..."(More detail at the webroot URL above.* https://www.virustot...1eb2b/analysis/File name: contacts.exe.x-msdownloadDetection ratio: 33/44Analysis date: 2012-11-13___

The malicious payload is at [donotclick]platinumbristol .net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.I can see the following evil domains on that same server..."(More detail at the dynamoo URL above.)

Edited by AplusWebMaster, 12 December 2012 - 11:44 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

The links in the email bounce through a legitimate hacked site, and in the samples I have seen end up on [donotclick]6.bbnface .com/string/obscure-logs-useful.php or [donotclick]6.mamaswishes .com/string/obscure-logs-useful.php both hosted on 173.246.102.223 (Gandi, US) which probably contains many other evil sites, so blocking that IP address would probably be prudent."___

The malicious payload is at [donotclick]awoeionfpop .ru:8080/forum/links/column.php hosted on the following IPs that I haven't seen before:75.148.242.70 (Comcast Business, US)91.142.208.144 (Axarnet, Spain)..."(More dtail at the dynamoo URL above.)___

The malicious payload is on [donotclick]eaglepointecondo .biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can."

Edited by AplusWebMaster, 13 December 2012 - 11:47 AM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Dexter malware targets POS systems...- http://www.theregist...ts_pos_systems/14 Dec 2012 - "You could be getting more than you bargained for when you swipe your credit card this holiday shopping season, thanks to new malware that can skim credit card info from compromised point-of-sale (POS) systems. First spotted by security firm Seculert*, the malware dubbed "Dexter" is believed to have infected hundreds of POS systems in 40 countries worldwide in recent months. Companies targeted include retailers, hotel chains, restaurants, and private parking providers. The US, the UK, and Canada top the list of countries where the malicious app has been found... Once the malware is installed on a POS system, it grabs the machine's list of active processes and sends them to a command-and-control server – a highly unusual step for POS malware, according to security researchers at Trustwave**..."* http://blog.seculert...f-point-of.html

Something evil on 87.229.26.138- http://blog.dynamoo....8722926138.html14 Dec 2012 - "This seems to be a bunch of evil domains on 87.229.26.138 (Deninet, Hungary) being used in injection attacks. Possible payloads include Blackhole (for example*).* http://urlquery.net/...t.php?id=406222There are two sets of domains, .in domains being used by themselves and .eu domains being used with subdomains, listed below.The registration details are probably fake, but for the record the .eu domains are registered to:Juha SalonenLukiokatu 2313430 HameenlinnaHameenlinnaFinlandsalonen_juha @yahoo .comThe .in domains are registered to:Puk T LapkanenPuruntie 33LAPPEENRANTA53200FI+358.443875638puklapkanen @yahoo .comIf you can block the IP address then it will be the simplest option as there are rather a lot of domains here..."(More detail at the dynamoo URL above.)___

The malicious payload is at [donotclick]4.whereintrentinoaltoadige .com/string/obscure-logs-useful.php hosted on 198.74.54.28 (Linode, US)... malicious domains are also on the same server..."(More detail at the dynamoo URL above.)___

The malicious payload is at [donotclick]6.bbnsmsgateway .com/string/obscure-logs-useful.php hosted on 192.155.81.9 (Linode, US). There are probably some other bad domains on this server, so blocking access to that IP could be prudent."___

The malicious payload is at [donotclick]aviaonlolsio .ru:8080/forum/links/column.php hosted on the same IPs as used in this attack:75.148.242.70 (Comcast Business, US)91.142.208.144 (Axarnet, Spain)..."___

Fake Chase emails lead to malware- http://blog.webroot....ead-to-malware/Dec 14, 2012 - "Cybercriminals are currently mass mailing tens of thousands of emails, impersonating Chase in an attempt to trick its customers into executing the malicious attachment found in the fake email. Upon execution, the sample downloads additional malware on the affected hosts, and opens a backdoor allowing the cybercriminals behind the campaign complete access to the host...Sample screenshot of the spamvertised email:> https://webrootblog....ring.png?w=1024... the cybercriminal/cybercriminals behind it applied low QA (Quality Assurance) since the actual filename found in the malicious archive exceeds 260 characters, resulting in a failed extraction process on Windows hosts.“C:\Users\Workstation\Desktop\Statement_random_number.pdf.zip: Cannot create Statement_ID_random_number.pdf.exeTotal path and file name length must not exceed 260 characters. The system cannot find the path specified.“Sample detection rate for the spamvertised attachment: MD5: 676c1a01739b855425f9492126b34d23 * ... Trojan-PSW.Win32.Tepfer.cbrv.Makes DNS request to 3.soundfactor .org, then it establishes a TCP connection with 184.184.247.60 :14511, as well as UDP connections to the following IPs:184.184.247.60 :2308999.124.198.193 :1319778.93.215.24 :1422568.167.50.61 :28650 ..."(More detail at the webroot URL above.)* https://www.virustot...sis/1355442736/File name: Statement_ID.pdf.exeDetection ratio: 42/46Analysis date: 2012-12-13

Edited by AplusWebMaster, 14 December 2012 - 02:50 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Pharma SPAM - pillscarehealthcare .com- http://blog.dynamoo....recom-spam.html17 Dec 2012 - "There has been a massive amount of pharma spam pointing to pillscarehealthcare .com over the past 48 hours or so. Here are some examples:Date: Mon, 17 Dec 2012 02:47:56 +0000 (GMT) From: "Account Info Change" [tyjinc @palmerlakearttour .com] To: [redacted] Subject: Updated information Updated information Hello, The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer. If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password. This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center. Thanks, Customer Support ================== Date: Mon, 17 Dec 2012 01:22:56 -0700 From: "Angela Snider" [directsales @tyroo .com] To: [redacted] Subject: Pending ticket status Ticketing System Hello, You have been successfully registered in our Ticketing System Please, login and check status of your ticket, or close the ticket here Go To Profile See All tickets This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center. ================== Date: Sat, 15 Dec 2012 21:37:47 -0700 From: "Alexis Houston" [cmassuda @agf .com .br] To: [redacted] Subject: Pending ticket notification Ticketing System Hello, You have been successfully registered in our Ticketing System Please, login and check status of your ticket, or report new ticket here Go To Profile See All tickets This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center. ================== Date: Sat, 15 Dec 2012 07:06:30 -0800 From: "Account Sender Mail" [daresco @excite .com] To: [redacted] Subject: Account is now available Login unavailable due to maintenance ([redacted]) Hello, Your Account is now available. Our systems were unavailable due to maintenance and upgrading system. We apologizes for any inconvenience and appreciates the patience while this critical maintenance was performed. If you still face the problem then it would be better if you contact our team. Access Your Account Hope this information helps you. Thanks, Support team ================== From: Kennedi Marquez [mailto:cwtroutn @naturalskincarereviews .info] Sent: 17 December 2012 11:18 Subject: Updated information Updated information Hello, The following information for your ID [redacted] was updated on 12/17/2012: Date of birth, Security question and answer. If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password. This is an automated message. Please do not reply to this email. If you need additional help, visit our Support Center. Thanks, Customer Support

This appears to be punting fake drugs rather than malware. pillscarehealthcare .com is hosted on 95.58.254.74 (Kazakh Telecom, Kazakhstan). In my opinion blocking 95.58.254.0/24 will probably do you no harm. These other fake pharma web sites can be found on the same IP address..."(More detail at the dynamoo URL above.)

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address..."(More detail at the dynamoo URL above.)___

LinkedIn SPAM / apensiona .ru- http://blog.dynamoo....pensionaru.html18 Dec 2012 - "This fake LinkedIn spamleads to malware on apensiona .ru:From: messages-noreply @bounce .linkedin .com on behalf of LinkedIn Connections Sent: Tue 18/12/2012 14:01 Subject: Join my network on LinkedIn LinkedIn Hien Lawson has indicated you are a Friend I'd like to add you to my professional network on LinkedIn. - Hien Lawson Accept View invitation from Hien Lawson WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA? Hien Lawson's connections could be useful to you After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future. 2012, LinkedIn Corporation

The malicious payload is at [donotclick]apensiona .ru:8080/forum/links/column.php (the same payload as here*) although this time the IPs have changed to:109.235.71.144 (Serveriai, Lithunia)176.31.111.198 (OVH, France)217.112.40.69 (Utransit , UK)Here's a plain list if you want to block the lot:109.235.71.144176.31.111.198217.112.40.69 ..."* http://blog.dynamoo....pensionaru.html

Edited by AplusWebMaster, 18 December 2012 - 03:46 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake AV - Malware sites to block 19/12/12- http://blog.dynamoo....ock-191212.html19 Dec 2012 - "This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here*) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).* https://www.virustot...4bc70/analysis/Detection ratio: 14/45This is a screenshot of the fake AV in action:> https://lh3.ggpht.co...1600/fakeav.pngFrom this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:report.q7ws17sk1ywsk79g .comreport.7ws17sku7myws931u .comreport.u79i1qgmywskuo9o .comThere's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent... but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:inetnum: 46.105.131.120 - 46.105.131.127netname: marysanders1descr: marysanders1netcountry: IEorg: ORG-OH5-RIPEadmin-c: OTC9-RIPEtech-c: OTC9-RIPEstatus: ASSIGNED PAmnt-by: OVH-MNTsource: RIPE # FilteredI suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go .com registered in China which has been fingered as an attack site before... I would recommend blocking the entire 46.105.131.120/29 to be on the safe side. The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo .com, ez .lv and zyns .com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches. 79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.Recommended blocklist:46.105.131.120/2982.103.140.10079.133.196.97/27mooo .comez .lvzyns .comAlternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here..."(More detail at the dynamoo URL above.)___

Fake Facebook SPAM / 46.249.58.211 and 84.200.77.218- http://blog.dynamoo....8420077218.html19 Dec 2012 - "There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:From: FB.Team Sent: 19 December 2012 14:30 Subject: Re-activate account Hi [redacted], Your account has been blocked due to spam activity. To verify account, please follow this link: http ://www.facebook .com/confirmemail.php?e=[redacted] You may be asked to enter this confirmation code: [redacted] The Facebook Team Didn't sign up for Facebook? Please let us know.

46.249.58.211 (Serverius Holding, Netherlands)...84.200.77.218 (Misterhost, Germany)...GFI has some more details on this one here*."* http://gfisoftware.t...o-spam-activityYour Facebook Account is Blocked due to Spam ActivityDec 19, 2012___

Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions- http://blog.webroot....ome-extensions/Dec 19, 2012 - "Cybercriminals have recently launched a privacy-violating campaign spreading across Facebook in an attempt to trick Facebook’s users into installing a rogue Chrome extension. Once installed, it will have access to all the data on all web sites, as well as access to your tabs and browsing history...Sample screenshot of one of the few currently active Facebook Events promoting the rogue Chrome extension:> https://webrootblog....nsion.png?w=702The campaign is relying on automatically registered Tumblr accounts, where the actual redirection takes place. Users are exposed to the following page, enticing them into changing their Facebook color theme:> https://webrootblog....png?w=477&h=289Once users accept the EULA and Privacy Policy, they will become victims of the privacy-violating Chrome extension:> https://webrootblog....png?w=555&h=355... the cybercriminals behind the campaign not only hosted it on Amazon’s cloud, they also featured it in Chrome’s Web Store:> https://webrootblog....png?w=614&h=324In case users choose -not- to accept the EULA and the Privacy Policy, the cybercriminals behind the campaign will once again attempt to monetize the hijacked Facebook traffic by asking them to participate in surveys, part of CPA (Cost-Per-Action) affiliate network, earning -them- money:> https://webrootblog....png?w=554&h=310... Users are advised to be extra cautious when accepting EULAs and Privacy Policies, in particular when installing browser extensions that have the capacity to access sensitive and personally identifiable data on their PCs..."___

Google Docs SPAM/PHISH...- https://isc.sans.edu...l?storyid=14731Last Updated: 2012-12-19 - "... Scams where the attacker's data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the -trusted- google .com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform... such scams aren't going away any time soon..."> F-secure: http://www.f-secure....s/00002168.html> GFI: http://www.gfi.com/b...-docs-phishing/> Sophos: http://nakedsecurity...om-google-docs/... Recipients who clicked the "CLICK HERE" link were directed to the following "IT HELPDESK SERVICE" page, which prompted for logon credentials that the attacker wanted to capture...> https://isc.sans.edu...k-service-3.png... The attacker was likely using a -compromised- Google Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form... Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer..."___

LinkedIn Spam: The Repeat- http://www.gfi.com/b...pam-the-repeat/Dec 19, 2012 - "Another slew of spam claiming to originate from LinkedIn has hit the wild Internet in less than 24 hours, according* to the real time recording and tracking of email threats by our researchers in the AV Labs.* http://gfisoftware.t...on-spam-returns... Here’s what the email looks like:> http://www.gfi.com/b...dIn_1218-wm.pngFrom: {bogus email address} To: {random} Subject: Join my network on LinkedIn Message body: {redacted} has indicated you are a Friend I’d like to add you to my professional network on LinkedIn. [Allow button] View invitation from {redacted} WHY MIGHT CONNECTING WITH {redacted} BE A GOOD IDEA? {redacted} connections could be useful to you After accepting {redacted} invitation, check {redacted} connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.Clicking the Allow button or the link on the message body directs users to several Web pages of compromised sites, which all look like this:> http://www.gfi.com/b...-wm-300x105.pngThis page laced with the Blackhole Exploit Kit code then auto-redirects users to a Russian website where the Cridex info-stealer payload can be downloaded.> http://www.gfi.com/b...-wm-300x131.pngwhen in doubt, users should simply visit their LinkedIn pages and check their profile mailbox for invites..."___

The malicious payload is at [donotclick]angelaonfl .ru:8080/forum/links/column.php hosted on the following IPs:91.224.135.20 (Proservis UAB, Lithunia)210.71.250.131 (Chunghwa Telecom, Taiwan)217.112.40.69 (Utransit, UK)The following domains and IPs are all related and should be blocked if you can:91.224.135.20210.71.250.131217.112.40.69 ..."(More detail at the dynamoo URL above.)___

Fake ‘Citi Account Alert’ emails lead to BlackHole Exploit Kit- http://blog.webroot....le-exploit-kit/Dec 20, 2012 - "Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using -two- different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...Sample screenshot of the first spamvertised template:> https://webrootblog....exploit_kit.pngSample screenshot of the second spamvertised template:> https://webrootblog....loit_kit_01.pngSample client-side exploits serving URLs:hxxp ://eaglepointecondo .biz/detects/operation_alert_login.php – 59.57.247.185Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .comName Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .comhxxp ://platinumbristol .net/detects/alert-service.php – 59.57.247.185Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent @yahoo .comName Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent @yahoo .comUpon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c * ... Worm:Win32/Cridex.E.Once executed, the sample performs the following activities: Accesses Firefox’s Password Manager local database Creates a thread in a remote process Installs a program to run automatically at logonIt creates the following Registry Keys:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7BWith the following value:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]KB00121600.exe = “”%AppData%\KB00121600.exe”"It then creates the following Mutexes:Local\XMM000003F8Local\XMI000003F8Local\XMRFB119394Local\XMM000005E4Local\XMI000005E4Local\XMM0000009CLocal\XMI0000009CLocal\XMM000000C8Local\XMI000000C8It also drops the following MD5s:MD5: 9e7577dc5d0d95e2511f65734249eba9MD5: 61bb88526ff6275f1c820aac4cd0dbe9MD5: b360fec7652688dc9215fd366530d40cMD5: f6ee1fcaf7b87d23f09748cbcf5b3af5MD5: d7a950fefd60dbaa01df2d85fefb3862MD5: ed662e73f697c92cd99b3431d5d72091It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA. We’ve already seen the same command and control server used in the following previously profiled malicious campaigns..."* https://www.virustot...1fc10/analysis/File name: readme.exeDetection ratio: 32/45Analysis date: 2012-12-20___

Sendspace "You have been sent a file" SPAM / apendiksator .ru- http://blog.dynamoo....-file-spam.html20 Dec 2012 - "This fake Sendspace spamleads to malware on apendiksator .ru:Date: Thu, 20 Dec 2012 09:25:36 -0300 From: "SHIZUKO Ho" Subject: You have been sent a file (Filename: [redacted]-28.pdf) Sendspace File Delivery Notification: You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho). You can use the following link to retrieve your file: Download Link The file may be available for a limited time only. Thank you, sendspace - The best free file sharing service. Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.=== Date: Thu, 20 Dec 2012 05:05:02 +0100 From: "GENNIE Hensley" Subject: You have been sent a file (Filename: [redacted]-7123391.pdf) Sendspace File Delivery Notification: You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley). You can use the following link to retrieve your file: Download Link The file may be available for a limited time only. Thank you, sendspace - The best free file sharing service. Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

In these cases, the targets URLs are [donotclick]site-dating2012 .asia/link.php and [donotclick]site-dating2012 .asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding). These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010 .info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page. The site also contains an apparent Java exploit that loads in from libertymonings.info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings .info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings .info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal*.The following IPs and domains are all related and should be blocked if you can:46.249.42.16146.249.58.21184.200.77.218..."* https://www.virustot...sis/1356045558/File name: ztsvgnvlmhe-a.qsypes.jarDetection ratio: 6/45Analysis date: 2012-12-20

Edited by AplusWebMaster, 20 December 2012 - 07:47 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malware sites to block 21/12/12- http://blog.dynamoo....ock-211212.html21 Dec 2012 - "There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentified ad running on the centerblog .net blogging system (I think specifically [donotclick]zezete2.centerblog .net/i-247-136-1356095651.html)The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)[donotclick]svwlekwtaign.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/[donotclick]mcruxdufxwnp.avigorstats .pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.avigorstats .pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a -huge- iceberg of malicious IPs and domains that are all interconnected.Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..Recommended blockist (annotated)...Recommended blockist (Plain list)..."(Too long to post here - see the dynamoo URL above - 'great list to use!)___

Profile Spy...- http://www.gfi.com/b...yan-apocalypse/Dec 21, 2012 - "... Profile Spy, a once viral scam on Facebook and Twitter that entices users to check out who have been viewing their profiles. Today, on the eve of the rumored 'EoW', it has decided to rear its ugly head once more... the criminals behind it have used a number of tactics to make users hand over their credentials or give them money — like asking users to “Like” their page, answer surveys and copy and paste a code into the address bar. This time, the scammers have used a lot of elements in this effort. One is Facebook, the other two are Tumblr and the Google Chrome Web Store. This scam starts off as a Facebook event invitation spammed to random users who are part of the mark’s network, a social engineering tactic already done in the past. Since the “event” is public, anyone can visit the page if the URL is shared... Visiting any of the links on the comment posted on the page leads users to a Tumblr profile. Clicking “Get it here” then leads users to a similar looking page, which is using Amazon‘s web service, where they can download the Facebook Profile Spy v2.0 for the Google Chrome Internet browser... This rogue extension, once installed, is capable of doing three things: firstly, it updates the mark’s Facebook status by sharing an image and commenting on it — secondly, the extension displays a fake “security CAPTCHA check” pop-up window where the mark can fill in names of persons in his/her network. This then results in the creation of the Profile Spy “event” invitation... [UPDATE: Google has now taken down the Profile Spy page on the Chrome Web Store.] Watch that mouse pointer... careful where you direct and click it."(Screenshots and more info available at the gfi URL above.)___

‘Work at Home” scams impersonating CNBC spotted in the wild- http://blog.webroot....ed-in-the-wild/Dec 21, 2012 - "... a currently circulating “Work At Home” scam that’s successfully and professionally impersonating CNBC in an attempt to add more legitimacy to its market proposition – the Home Business System...Sample screenshot of the spamvertised email impersonating CNBC:> https://webrootblog....ome_scam_01.pngSample screenshot of the fake CNBC news article detailing the success of the Home Business System:> https://webrootblog....t_home_scam.pngNo matter where you click, you’ll always be redirected to the Home Business System.Sample bogus statistics sent by customers of the system:> https://webrootblog....ome_scam_02.pngWhat’s particularly interesting about this campaign is the way the scammers process credit card details. They do it internally, not through a payment processing intermediary, using basic SSL encryption, featuring fake “Site Secured” logos, including one that’s mimicking the “VeriSign Secured” service. Although the SSL certificate is valid, the fact that they even require your CVV/CVV2 code, without providing adequate information on how they store and actually process the credit card numbers in their possession, is enough to make you extremely suspicious.Sample spamvertised URLs:hxxp ://5186d4d1.livefreetimenews .com/hxxp ://5f4a8abae0.get-more-news .com/Domains participating in the campaign:worldnewsyesterday .com – Email: johnjbrannigan @teleworm .usworldnewsimportant .com – Email: johnjbrannigan @teleworm .ushbs-system .com – Email: cinthiaheimbignerupbg @hotmail .comHistorically, the following domains were also used in a similar fashion:homeworkhere .com – Email: zoilaprni4d @yahoo .comlastnewsworld .com – Email: shirleysmith57 @yahoo .comhomecompanysystem .com – Email: deloristrevertonef53 @yahoo .com> https://webrootblog....ome_scam_04.pngUsers are advised -not- to click on links found in spam emails, and to never entrust their credit card details to someone who’s spamvertising you using the services of some of the most prolific botnets currently online."

Edited by AplusWebMaster, 21 December 2012 - 08:00 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

"New message received" SPAM / siteswillsrockf .com and undering .asia- http://blog.dynamoo....eived-spam.html22 Dec 2012 - "This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday ( http://blog.dynamoo....ock-211212.html ).Date: Sat, 22 Dec 2012 16:55:38 +0300 From: "Secure.Message" [FAA55EEEE @valencianadeparketts .es] Subject: New message received Click here to view the online version. Hello [redacted], You have 5 new messages. Read now Copyright 2012 SecurePrivateMessage. All rights reserved. If you would like to update your profile or unsubscribe, please click here. PLEASE DO NOT REPLY TO THIS MESSAGE. If you require Technical Support, please check Support Center for information.

Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering .asia/link.php?login.aspx=[emailaddress]&id=[redacted] with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering .asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf .com/?a=YWZmaWQ9MDAxMTA=undering .asia is hosted on 46.249.42.161, and siteswillsrockf .com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:inetnum: 46.249.42.0 - 46.249.42.255 ...The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius* who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.There are lots of other suspect domains on these two IPs as well:46.249.42.161 ...46.249.42.168 ..."(Too many to post here - see the dynamoo URL above for more detail.)* https://www.google.c...c?site=AS:50673

Edited by AplusWebMaster, 22 December 2012 - 03:51 PM.

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake "SecureMessage" SPAM / infiesdirekt .asia, pacesetting .asia and siteswillsrockf .net- http://blog.dynamoo....direktasia.html23 Dec 2012 - "Another fake "SecureMessage" spamleading to malware, the same in principle to this spam run* and again hosted on the same Serverius-owned** IPs of 46.249.42.161 and 46.249.42.168. There are several variants of the spam, but they are all very similar and look something like this:Date: Sun, 23 Dec 2012 14:26:32 +0530 From: "Secure.Message" Subject: Alert: New message Click here to view the online version. Hello [redacted], You have 4 new messages. Read now Copyright 2012 SecureMessage. All rights reserved. If you would like to update your profile or unsubscribe, please click here. PLEASE DO NOT REPLY TO THIS MESSAGE. If you require Technical Support, please check Support Center for information.

... suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do. These are the malicious domains that I can currently identify on those IPs..."(Long list at the dynamoo URL above.)* http://blog.dynamoo....eived-spam.html

Eastern bloc SPAM...- http://blog.dynamoo....e-athiests.html25 Dec 2012 - "... eastern bloc... spammers are sending out today.Date: Tue, 25 Dec 2012 22:56:51 -0700 From: "Ticket Support" Subject: Password Assistance Thank you for your letter of Dec 25, your information arrived today. Alright, here's the link to the site: Proceed to Site If we can help in any way, please do not hesitate to contact us. Regards, Yuonne Ferro, Support Team manager.

Some variants of the body text:- "Thank you for contacting us, your information arrived today."- "Thank you for your letter regarding our products and services, your information arrived today."- "Thank you for considering our products and services, your information arrived today."Some alternative sender names: "Jonie Gunther", "Noreen Macklin", "Bonny Oconnell". The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker*. Given their awful reputation, I am surprised that they haven't been de-peered. Yet. There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP..."(More detail at the dynamoo URL above.)* https://en.wikipedia...usiness_Network"... a host of the infamous Russian Business Network cyber-crime gang..."

Pharmaceutical scammers spamvertise YouTube emails - counterfeit drugs...- http://blog.webroot....nterfeit-drugs/Dec 25, 2012 - "Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails. Upon clicking on the fake YouTube personal message notification, users are -redirected- to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network...Sample screenshot of the spamvertised email:> https://webrootblog....png?w=373&h=244Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:> https://webrootblog....e_01.png?w=1009Spamvertised URL: hxxp ://roomwithaviewstudios .com/inherits.htmlLanding URL: hxxp ://canadapharmcanadian .net – 109.120.138.155... fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155)...(More detail at the webroot URL above.)...

This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns. We expect to see -more- of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health."___

Fake E-billing SPAM / proxfied .net- http://blog.dynamoo....roxfiednet.html26 Dec 2012 - "There are various e-billing spam emails circulating today, pointing to malware on proxfied .net:Date: Wed, 26 Dec 2012 18:49:37 +0300 From: alets-no-reply @customercenter .citibank .com Subject: Your Further eBill from Citibank Credit Card Member: [redacted] Add alerts@ serviceemail2. citibank .com to your address book to ensure delivery. Your Account: Important Warning New eBill Available Account Number: **************8 Due Date: 12/28/2012 Amount Due: 175.36 Minimum Amount Due: 175.36 How do I view this bill? 1. Sign on to Citibank Online using this link. 2. Use the Payments Menu to find the bill mentioned in this message. 3. Select View Bill to review your bill details. Select the icon to see your bill summary. Please don't reply to this message. If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu. E-mail Security Zone At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen. To set up alerts sign on by clicking this link and go to Account Profile. I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online. View Your Account Pay Your Bill Contact Us Privacy | Security Email Preferences If you want to communicate with us in writing concerning this email, please direct your correspondence to: Citibank Customer Care Service P. O. Box 6200 Sioux Hills, SD 57870 Help / Contact Us If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu. 2012 Citibank, N.A. All rights reserved. Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc. 3843054050826645 1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187 ====================(More sample FAKE emails shown at the dynamoo URL above.)

The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:sessionid0147239047829578349578239077 .pllatticesoft .netproxfied .net ..."___

Fake Twitter DM emails leads to Canadian Pharma SPAM- http://www.gfi.com/b...an-pharma-spam/Dec 27, 2012 - "We’re seeing quite a few of these “Can I use your…” style messages arriving in mailboxes, taking the form of fake Twitter DM notifications. The most common fakeouts seem to be asking about videos and photographs.> http://www.gfi.com/b...picpublish1.png "Hello, Can i publish link to your photo on my web page?" Another one says: "Hi. Can i publish link to your video on my home page?"In both cases, the emails will lead end-users to sites that are most definitely not Twitter. Some of the URLs are offline, but here’s one that is still standing:> http://www.gfi.com/b...picpublish2.jpgFestive Pharma spam – probably not what you need in your post-Xmas stocking. Do your best to steer clear of these."___

Fake British Airways E-ticket receipts serve malware- http://blog.webroot....-serve-malware/Dec 26, 2012 - "... Cybercriminals have resumed spamvertising fake British Airways themed E-receipts — we intercepted the same campaign back in October — in an attempt to trick its customers into executing the malicious attachment found in the emails...Sample screenshot of the spamvertised email:> https://webrootblog....lware.png?w=553Sample detection rate for the malicious attachment:MD5: b46709cf7a6ff6071a6342eff3699bf0 * ... Worm:Win32/Gamarue.IUpon execution, it creates the following mutex on infected hosts: SHIMLIB_LOG_MUTEXIt also initiates POST requests to the following IP: 87.255.51.229/ff/image.phpAs well as DNS requests to the following hosts:zzbb45nnagdpp43gn56 .com – 87.255.51.229a9h23nuian3owj12 .com – 87.255.51.229zzbg1zv329sbgn56 .com – 87.255.51.229http ://www.update .microsoft .com – 65.55.185.26ddbbzmjdkas .usddbbzmjdkas .usThe IPs are currently sinkholed by Abuse.ch..."* https://www.virustot...sis/1356554124/File name: BritishAirways-eticket.exeDetection ratio: 39/46Analysis date: 2012-12-26___

Fake ‘UPS Delivery Confirmation Failed’ emails lead to BlackHole Exploit Kit- http://blog.webroot....le-exploit-kit/Dec 27, 2012 - "... cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. Once they click on the links, they’re automatically exposed to the client-side exploits served by the BlackHole Exploit kit...Sample screenshot of the spamvertised email:> https://webrootblog....t_kit.png?w=603Sample spamvertised compromised URLs:hxxp ://www.aberdyn .fr/letter.htmhxxp ://www.aberdyn .fr/osc.htmSample client-side exploits serving URLs:hxxp ://apendiksator .ru:8080/forum/links/column.phphxxp ://sectantes-x .ru:8080/forum/links/column.phpSample malicious payload dropping URL:hxxp://sectantes-x .ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002Client-side exploits served: CVE-2010-0188Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x .ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 * ... Trojan-Ransom.Win32.PornoAsset.abup.Upon execution, the sample phones back to the following command and control servers:178.77.76.102 (AS20773)91.121.144.158 (AS16276)213.135.42.98 (AS15396)207.182.144.115 (AS10297)More MD5s are known to have phoned back to the same IPs..."* https://www.virustot...59be3/analysis/File name: e284d8a62b6d75b6818ed1150dde2a8bcc3489eeDetection ratio: 27/42Analysis date: 2012-09-30

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

The malicious payload is at [donotclick]tv-usib .com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:sessionid0147239047829578349578239077.pltv-usib .comproxfied .nettimesofnorth .netlatticesoft .net ..."

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malware sites to block - 2 Jan 2013 part II- http://blog.dynamoo....13-part-ii.html2 Jan 2013 - "Here's a bunch of malicious IPs and domains to block, mostly based on this in-depth research* at the Malware Must Die! blog.* http://malwaremustdi...am-up-with.htmlAs far as I can see, the domains in use are exclusively compromised consumer PCs dotted around the globe, rather than compromised or evil web servers.. so the ISPs are pretty irrelevant in this case. This type of infected host has a relatively short shelf-life, possibly just a few days, so you may or may not want to add them to your blocklist.IPs... Domains ..."(Long list at the dynamoo URL above.)

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Twitter Phish DMs: “This profile on Twitter is spreading nasty blogs around about you”- http://www.gfi.com/b...ound-about-you/Jan 4, 2013 - "... the following missive doing the rounds on Twitter via DMs on compromised accounts:> http://www.gfi.com/b...1/twitspam1.jpgThere’s a number of URLs and fake logins being posted right now to users in a wide range of geographical locations, and it all comes down to Twitter phishing with at least one of the phish URLs being registered to an individual claiming to be located in Shanghai, China. That particular site - ivtvtter(dot)com – is currently offline (and also listed in Phishtank*)... attempting to login would result in a 404 error then a redirect to the real Twitter site to make everything look nice and legitimate. These types of Twitter scam come around often, and end-users should always be wary of “Have you seen this” style messaging from contacts..."* http://www.phishtank...hish_id=1643038___

Fake 'bank reports' emails lead to BlackHole Exploit Kit- http://blog.webroot....le-exploit-kit/Jan 3, 2013 - "Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document. Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the BlackHole Exploit Kit...Sample screenshot of the spamvertised email:> https://webrootblog....exploit_kit.png... Malicious domain name reconnaissance:apendiksator .ru – 91.224.135.20; 210.71.250.131; 187.85.160.106Name server: ns1.apendiksator .ru – 62.76.186.24Name server: ns2.apendiksator .ru – 110.164.58.250Name server: ns3.apendiksator .ru – 42.121.116.38Name server: ns4.apendiksator .ru – 41.168.5.140Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:afjdoospf .ru – 91.224.135.20angelaonfl .ru – 91.224.135.20akionokao .ru – 91.224.135.20 ...Although we couldn’t reproduce the malicious payload at apendiksator .ru, we found that the malicious payload served by immerialtv .ru (known to have responded to the same IP) is identical to the MD5: 83db494b36bd38646e54210f6fdcbc0d * ... VirTool:Win32/CeeInject. This MD5 was dropped in a previously profiled campaign..."* https://www.virustot...d73da/analysis/File name: cs8v0k.exeDetection ratio: 34/42Analysis date: 2012-06-20___

Fake O2 Shop emails - Phish ...- http://www.gfi.com/b...le-phishy-bait/Jan 7, 2013 - "... fake O2 Shop emails are in circulation at the moment, in the form of a “security update” asking for login credentials on the back of an “O2 account update” the recipient is supposed to have made. They’re pretty bare bones in terms of how they look, and you’ll notice that in the below example GMail flags it as spam so hopefully lots of other mail service providers will be doing the same thing.> http://www.gfi.com/b...3/01/fakeo2.jpgDear User, You can now check the progress of your account at My O2. Just go to [url removed] and enter your username and password. If you’ve forgotten these, we can send you a reminder here too. Once you’ve signed in, go to My account and follow the instructions. Regards, O2 Customer Service

As with so many of these fire and forget spam campaigns, the bulk of them seem to lead to currently AWOL phish pages so they’re likely being taken offline at a fair old pace... treat random mails asking for login credentials with large portions of suspicion, especially when – as above – they’re referencing changes made to your account that you haven’t actually made."

:ph34r:

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Malware sites to block 8/1/13
- http://blog.dynamoo....block-8113.html
8 Jan 2013 - "These IPs and domains appear to be active in malicious spam runs today:41.168.5.14042.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik .ru
Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

The link in the email goes to an exploit kit on [donotclick]cookingcarlog .net/detects/occasional-average-fairly.php (report here*) which is hosted on 89.207.132.144 (Snel Internet Services, Netherlands).
* http://wepawet.isecl...7658280&type=js

The malicious payload is on [donotclick]royalwinnipegballet .net/detects/occasional-average-fairly.php hosted on 89.207.132.144 (Snel Internet, Netherlands) which was hosting another attack site this morning (so best blocked in my opinion)

:ph34r: :ph34r:

.The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

New Year, New Old Threats
- http://www.gfi.com/b...ew-old-threats/
Jan 9, 2013 - "... we have found an old Facebook scam, which dates back from two years ago, making rounds again and a spam-phishing ploy that is so 2007...(Screenshots available at the gfi URL above.)
Previous versions of this scam usually asks visitors to click “Like” buttons for pages, a method usually employed for the purpose of increasing the popularity of pages and their monetary value once sold. For the scam to proliferate within the network, users are also asked to update their Facebook profile with the above status message and link. Some versions present either a list of surveys to fill in or a form where users can enter their mobile numbers; only this latest scam offers both... Our researchers in the AV Labs found an in-the-wild email spam leading to a phishing attack. It targets users of the open-source webmail application, SquirrelMail... The email is exactly as it was back in 2007, so any user can take their cues from the outdated versions of the app mentioned and the supposed solution to the issue the email is attempting to address... advice? Delete the spam at once."
___

Something evil on 173.246.102.246
- http://blog.dynamoo....3246102246.html
9 Jan 2013 - "173.246.102.246 (Gandi, US) looks like it is being used for exploit kits being promoted either through malvertising or through exploited OpenX ad servers. In the example I have seen, the malicious payload is at [donotclick]11.lamarianella .info/read/defined_regulations-frequently.php (report here*). These other domains appear to be on the same server, all of which can be assumed to be malicious:11.livinghistorytheatre .ca
11.awarenesscreateschange .com
11.livinghistorytheatre .com
11.b2cviaggi .com
11.13dayz .com
11.lamarianella .info
11.studiocitynorth .tv
11.scntv .tv
These all appear to be legitimate but hijacked domains, you may want to block the whole domain rather than just the 11. subdomain."
* http://wepawet.isecl...4e4a3f1&type=js

The malicious payload is on [donotclick]hotelrosaire .net/detects/keyboard_ones-piece-ring.php hosted on 64.120.177.139 (HostNOC, US) which also hosts royalwinnipegballet .net which was seen in another BBB spam run yesterday."

Fake U.S Airways emails lead to BlackHole Exploit Kit- http://blog.webroot....le-exploit-kit/Jan 10, 2013 - "... On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the BlackHole Exploit Kit. Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways...Sample screenshot of the spamvertised email:> https://webrootblog...._expoit_kit.png... Malicious domain name reconnaissance:attachedsignup .pro – 41.215.225.202 – Email: kee_mckibben0869 @macfreak .com... Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 * ... Worm:Win32/Cridex.EThe executable creates the following registry entries:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7BAs well as the following mutexes:Local\XMM000003F8Local\XMI000003F8Local\XMRFB119394Local\XMM000005E4Local\XMI000005E4Local\XMM0000009CLocal\XMI0000009CLocal\XMM000000C8Local\XMI000000C8Once executed, the sample phones back to the following C&C servers:180.235.150.72 :8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/174.143.174.136 :8080/AJtw/UCyqrDAA/Ud+asDAA/We’ve already seen the same pseudo-random C&C phone back characters used... previously profiled malicious campaigns..."* https://www.virustot...bd1fe/analysis/File name: 6f51e309530f8900be935716c3015f58Detection ratio: 24/46Analysis date: 2012-12-07___

Fake ADP SPAM / tetraboro .net and advertizing* .com- http://blog.dynamoo....rtizingcom.html10 Jan 2013 - "This fake ADP spamleads to malware on tetraboro .net. It contains some errors, one of which is the subject line just says "adp_subj" rather than having been filled out properly... Date: Thu, 10 Jan 2013 17:48:09 +0200 [10:48:09 EST] From: "ADPClientServices @adp .com" [ADPClientServices @adp .com] Subject: adp_subj ADP Urgent Note Note No.: 33469 Respected ADP Consumer January, 9 2013 Your Processed Payroll Record(s) have been uploaded to the web site: Click here to Sign In Please take a look at the following details: • Please note that your bank account will be debited within one banking day for the amount(s) specified on the Protocol(s). Please don't reply to this message. auomatic informational system not configured to accept incoming mail. Please Contact your ADP Benefits Specialist. This notification was sent to current clients in your company that approach ADP Netsecure. As general, thank you for choosing ADP as your business butty! Ref: 33469

Fake Chrome updates return ...- http://www.gfi.com/b...updates-return/Jan 11, 2013 - "... fake Chrome update websitesleading to Malware – has returned...> http://www.gfi.com/b...chromefake1.jpgThe design of the website is identical to the initial rollout, urging the end-user to “Update Google Chrome: To make sure that you’re protected by the latest security updates”. If you attempt to download the file while using Chrome, the following prompt appears...> http://www.gfi.com/b...chromefake2.jpgThe file itself has been around for a while, being seen on around 14 or so websites since around October and is listed at Malwr.com which mentions attempts to access Firefox’s Password Manager local database – meanwhile, it’s listed on the comments section of VirusTotal* as being capable of stealing banking credentials. You’ll notice they mention Zeus – indeed, one of the DNS requests made is to a site by the Malware is related to ZBot / Blackhole exploit kit attacks. In fact, it seems to want to swipe information of a very similar nature to a ZBot infection from August of 2012 detailed on the ShadowServer Blog** (scroll down to the “data it tries to collect and steal”)... users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page***".* https://www.virustot...02439/analysis/

The malicious payload is at [donotclick]dimanakasono .ru:8080/forum/links/column.php hosted on the following IPs:91.224.135.20 (Proservis UAB, Lithunia)187.85.160.106 (Ksys Soluções Web, Brazil)212.112.207.15 (ip4 GmbH, Germany)The following IPs and domains are related and should be blocked:91.224.135.20187.85.160.106212.112.207.15belnialamsik .rudemoralization .rudimanakasono .rubananamamor .ru___

Fake Intuit SPAM / dmeiweilik .ru- http://blog.dynamoo....ntuit-spam.html11 Jan 2013 - "This fake Intuit (or LinkedIn?) spamleads to malware on dmeiweilik .ru:Date: Fri, 11 Jan 2013 06:23:41 +0100 From: LinkedIn Password [password @linkedin .com] Subject: Payroll Account Holded by Intuit Direct Deposit Service Informer Communicatory OnlyWe cancelled your payroll on Fri, 11 Jan 2013 06:23:41 +0100. Finances would be gone away from below account# ending in 0198 on Fri, 11 Jan 2013 06:23:41+0100 amount to be seceded: 8057 USD Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 06:23:41 +0100 Log In to Review Operation Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded. Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website. Thank you for your business. Regards, Intuit Payroll Services===== From: messages-noreply @bounce .linkedin.com [mailto:messages-noreply @bounce .linkedin.com] On Behalf Of Lilianna Grimes via LinkedIn Sent: 10 January 2013 21:04 Subject: Payroll Account Holded by Intuit Direct Deposit Service Informer Communicatory OnlyWe cancelled your payroll on Fri, 11 Jan 2013 02:03:33 +0500. • Finances would be gone away from below account # ending in 8913 on Fri, 11 Jan 2013 02:03:33 +0500 • amount to be seceded: 9567 USD • Paychecks would be procrastinated to your personnel accounts on: Fri, 11 Jan 2013 02:03:33 +0500 • Log In to Review Operation Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded. Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time. QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website. Thank you for your business. Regards, Intuit Payroll Services

The malicious payload is at [donotclick]dmeiweilik .ru:8080/forum/links/column.php hosted on the same IPs as in this attack*:91.224.135.20 (Proservis UAB, Lithunia)187.85.160.106 (Ksys Soluções Web, Brazil)212.112.207.15 (ip4 GmbH, Germany)The following IPs and domains are related and should be blocked:91.224.135.20187.85.160.106212.112.207.15belnialamsik .rudemoralization .rudimanakasono .rubananamamor .rudmeiweilik .ru ..."* http://blog.dynamoo....nakasonoru.html___

Blackhole SPAM runs...- http://blog.trendmic...-holiday-break/Jan 11, 2013 - "... now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank*, and Better Business Bureau**. In particular, the Better Business Bureau BHEK spam** claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit... we are expecting that cybercriminals will prefer creating more toolkits rather than making new malware..."* http://blog.trendmic...CH_bhekspam.jpg